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Abstract 


This thesis presents new results in the use of term rewriting systems for automatic theorem 
proving. The design and implementation of REVE 2, a computer program that incorporates 
these results, is described. In addition, an introduction to the basic theory, procedures, and 
algorithms of term rewriting is provided, in a manner suitable for non-specialists. 


A principal application of rewriting systems is reasoning about the equational and inductive 
theories associated with a finite set of axioms. In this context, the Knuth-Bendix completion 
procedure is typically used in the hope of constructing a confluent and terminating rewriting 
system from the axioms. Knuth-Bendix incrementally ensures termination by using a reduc- 
tion ordering on terms to order equations into rewrite rules during the completion process. 
Serious impediments to the use of Knuth-Bendix in automatic proofs of equational and induc- 
tive theorems have been: 1) the need for user interaction, and 2) the lack of available state-of- 
the-art implementations. , 


REVE 2 reduces the need for user interaction in two ways. First, it uses automatic orderings, 

_ whose implementations automatically compute all of the possible valid extensions to the or- 
dering that allow an unorderable equation to be ordered. Second, it uses a robust, task- 
based, failure-resistant Knuth-Bendix design that incorporates a fine-grained scheme for 
automatic equation postponement. : 


From the beginning, it has been a fundamental design goal to make REVE 2 a well- 
documented, highly-modular, easily-modified program, based on sound principles of software 
engineering. The user interface to REVE 2 has been designed for ease of use by both novice 
and expert. 
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Preface 


This thesis documents the theory and design behind the REVE 2 term rewriting system gener- 
ator. Though most of the new material contained in this document originated with the author, 
REVE is in no way a single-handed effort. It is a team project, reflecting the work of resear- 
chers from several laboratories and serving a growing international community of users. 


An implementation of the Knuth-Bendix completion procedure was produced by John Goree 
[Goree 81] in John Guttag’s Systematic Program Development (SPD) group at the MIT 
Laboratory for Computer Science. Though only a bare-bones implementation, it featured a 
modular design, and the subsidiary abstractions used by Knuth-Bendix were organized as 
layered "virtual machine" primitives. 


REVE 1 [Lescanne 83a] was conceived and implemented by Pierre Lescanne’, a researcher 
at the Centre de Recherche en Informatique de Nancy (CRIN) in France, during his visit with 
SPD in 1980-82. It included one of the first implementations of Knuth-Bendix to deal effec- 
tively and flexibly with rewriting system termination, making use of a new, incremental class of 
simplification orderings [Jouannaud 82a}. REVE 1 pioneered the idea of extending the order- 
ing, as needed, during termination proofs. The program had an interactive interface that 
allowed users to enter equations and rewrite rules in conventional notation (including infix), 
and provided a number of user commands that allowed access to some basic rewriting and 
unification primitives. REVE 1 introduced important notions regarding the style and scope 
appropriate to a system for experimenting with term rewriting. 


REVE 2 has been written from the ground up, using and expanding on the ideas in REVE 1. 
However, REVE 2 has the additional goals of providing 1) a solid source code base upon 
which to build, 2) automatic theorem proving capabilities, suitable for embedding in other 
applications, and 3) a friendly and powerful user interface. REVE 2 has been carefully 
modularized and documented to meet the first goal, including a complete set of data and 
procedural abstraction implementations that are pertinent to rewriting applications. We have 
made substantial progress toward the second goal by incorporating features into REVE 2 that 


‘the name "REVE," pronounced "rev," was chosen by Lescanne.- Réve is a French word, meaning "dream." 


allow termination proofs and Knuth-Bendix to proceed nearly automatically. The third goal 
has been addressed with a flexible command interpreter that provides a rich set of com- 
mands, on-line help facilities, and detailed error messages. REVE is an “open system": 
anyone may obtain the source code and tailor it to their purposes. It is hoped that REVE 2 can 
serve as groundwork for implementation efforts by many researchers, permitting easier trans- 
ference of algorithms among colleagues and expanded opportunities for experimentation. 


The author designed and implemented the core of REVE 2, including the failure-resistant 
Knuth-Bendix, during 1982-83. David Detiefs, also of SPD, designed and implemented the 
EPOS automatic ordering, and has taken over primary responsibility for maintaining REVE. 
We have also greatly profitted from related theoretical and implementation work of colleagues 
in SPD, at CRIN, at General Electric Corporate Research and Development, at the State 
University of New York at Stony Brook, and at the University of Illinois at Urbana-Champaign. 


REVE 2 is currently in use in many university and industrial laboratories in the United States 
and abroad. The source code and executable version of REVE, together with the CLU [Liskov 
81] programming language in which it is implemented, are available for research and educa- 
tional uses for a nominal distribution charge. REVE and CLU currently run on VAX? 
computers under Berkeley UNIX°. Inquiries should be sent to John V. Guttag, MIT Laboratory 
for Computer Science, 545 Technology Square, Cambridge, MA 02139. 


In this thesis, we will refer to REVE 2 as simply REVE. 


Randy Forgaard 
September 1984 


2VAX is a Trademark of Digital Equipment Corporation. 


SUNIX is a Trademark of AT&T Bell Laboratories. 


Maseas 3 OBST ARRRAEeEER R esRBRssss Z 


# 


4.3.4 Computing Normal Forms of Postponed Equations _ 


4.3.5 Knuth-Bendix Tasks and Organization 
4.4 Knuth-Bendix Using Automatic Onderings- 


Chapter Five: The REVE Program 


ppp ang arrell 


a1 Summary of Contebatiane 


88sa 


SSSSERSBREGSTALIRR 


4 
] 
i 
: 
i 


i 
£ 
t 


TETTETLGTLTTTTTTTTTTTT2 | 
ITE Peeee $ ee eee. Pep epee 


eae ‘Table of Figures 


352 Sistemas arenas REVE 


i 7 SESRRSWIANTASWSSAASSBRBRBSS 


Chapter One 


introduction 


1.1 Background 


In recent years there has been a surge of interest in term rewriting systems. This has been 
sparked both by significant progress in understanding the theoretical aspects of rewriting 
systems and by the development of important new applications for these systems. These 
applications include automated deduction, program verification, specification analysis, 
program transformation, synthesis of programs, compilers, data base management systems, 
computer algebra systems, and the study of word problems in algebra, where term rewriting 
methods were first applied. , 


Term rewriting systems are often used to reason about the equational and inductive theories 
associated with a finite set of equations, cailed axioms. For nearly any interesting equational 
or inductive theory, the equivalence classes with respect to that theory are infinite. Proving 
that a particular equation is in the equational or inductive theory of a set of axioms is typically 
an ad-hoc process, using those axioms and the proof rules of equational and inductive 
reasoning. However, in some cases, a rewriting system with certain properties can be con- 
structed for thase axioms, enabling proofs to be effectively automated. 


A rewriting system is a set of rewrite rules. Each rule is a "one-way" equation: if a term, or 
one of its subterms, matches the form of the left-hand side of the rule, the term or subterm 
may be "rewritten" to have the form of the rule’s right-hand side. Every rewrite rule in a 
rewriting system for a set of axioms is in the equational theory of those axioms, so using a rule 
to rewrite a term is a valid inference in that equational theory. Once a term has been rewrit- 
ten, one may further rewrite its rewritten form, to produce more rewritten forms, all of which 
are equivalent to the original term in the equational theory. A "normal form" for a term is a 
_fewritten form of that term that cannot be rewritten further using any rule in the rewriting 
system. If all terms have a normal form with respect to the rewriting system, the rewriting 
system is said to "terminate." The rewriting system is "confluent" if, for any term, the normal 
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form of that term is the same no matter what order the rules are applied, whenever a normal 
form exists. Rewriting systems that are both terminating and confluent are said to be 


"convergent." 


To automate equational theorem proving, we are interested in finding a convergent rewriting 
system for a set of axioms. For such a rewriting system, an equation is in the equational 
theory of the axioms if and only if the normal forms of its two sides are the same. 
Unfortunately, both termination and confluence are undecidable, which complicates the 
problem of finding a convergent rewriting system for a given set of axioms. However, widely- 
applicable and easily-automated sufficient conditions for these two properties are known. A 
popular method for proving termination is to exhibit a “reduction ordering" on terms such 
that, for each rule in the rewriting system, the left-hand side is greater than the right-hand side 
under that ordering. Several such reduction orderings have emerged in recent years. Once 
termination has been established, confluence is decidable. When a terminating rewriting 
system is not confluent, one may use a special technique, calied the Knuth-Bendix completion 
procedure, for adding additional rules to the system in the hope of achieving confluence. All 
rules added in this manner are in the equational theory of the original axioms, so the theorem 
proving utility of the rewriting system is preserved. When a convergent rewriting system for a 
set of axioms can be constructed in this manner, one has an efficient decision procedure for 
the equational theory of those axioms. 


Convergent rewriting systems are also useful in automatically proving inductive theorems. To 
prove, by hand, that an equation is in the inductive theory of a set of axioms, one must 
inductively show that the theorem holds for all ground terms contructed from operators that 
appear in those axioms. However, if all such operators are completely defined with respect to 
the axioms, an "inductiontess induction" approach may be used to prove inductive theorems. 
This automatic method consists of using Knuth-Bendix to construct a convergent rewriting 
system for the axioms together with the proposed inductive theorem. If such a rewriting 
system can be built, the proposed equation is an inductive theorem of the original axioms if 
and only if Knuth-Bendix finds no inconsistencies in the equational theory. 


Of interest, then, is the availability of powerful and easy to use programs that incorporate 
implementations of reduction orderings and Knuth-Bendix. Some current systems that 
provide some of these capabilities are Affirm [Musser 60a], FORMEL [Huet 80a, Huet 82], RRL 
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[Kapur 84a], and [Gobel 84]. REVE, the subject of this thesis, differs from these programs by 
providing implementations of the pertinent procedures that allow theorem proving to proceed 


almost totally automatically. 


1.2 Motivation for Building REVE 


While the progress of research into rewriting systems has been significant, it has been im- 
peded by the inordinate difficulty of implementing and using the increasingly complex 
procedures and algorithms prevalent in current term rewriting research. The crux of the 
problem is twofold: the large effort required to build state-of-the-art software, and the dif- 
ficulty of acquiring usable software from others. The difficulty of acquiring or constructing 
good rewriting software serves both to slow down the work of those already involved in 
studying or using term rewriting systems and to inhibit the entry of new researchers into the 
field. It affects theoretical work as well as application-oriented work. 


1.2.1 Building Applications 

It is becoming increasingly likely that mechanical inference techniques based on term rewrit- 
ing can be useful in a wide variety of applications. Unfortunately, it is exceedingly difficult for 
anyone who is not well versed in the theory of rewrite rule systems to make good use of them. 
Not only must one contend with all the normal problems that arise in relatively large software 
projects, but one is also faced with a number of problems peculiar to this kind of effort. 
Simply to program efficient implementations of the basic primitives requires: 

(1) Conducting a literature search to find appropriate algorithms, 


(2) Reading and understanding several papers that are almost certainly aimed at a 
relatively theoretically-minded audience, 


(3) Choosing a representation for the primitive data objects and mapping the al- 
gorithms presented in papers (each of which is likely to have used different 
representations) onto those representations, and finally 

(4) Implementing it all in some programming language. 


After the primitives are implemented, the problem of understanding and implementing a grow- 
ing number of useful but complex procedures, e.g., the Knuth-Bendix completion procedure 
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or associative-commutative unification, remains. Once this rather lengthy digression is com- 


plete, one can finally begin working on application-related problems. 


A major problem in acquiring software upon which one can build is that there is relatively little 
exportable software available. What there is, has, in general, been built for a particular use: 
to test a particular algorithm or to provide a particular facility. These programs rarely come 
with the hooks necessary to make them good building blocks. Pulling them together into a 
coherent system is almost impossible. They are written in different languages (mostly dialects 
of LISP), they use different representations of basic objects (e.9., terms), and they are often 
sparsely documented. 


1.2.2 Theoretical Work 


While accessing and understanding the relevant literature presents less of a problem to the 
theoretically-oriented than to those interested primarily in applications, the difficulties com- 
mon to the production of all software are likely to present more of a problem. Certainty, the 
investment of considerable amounts of time in software development represents a serious 
digression for the theoretical group. Unfortunately, there are at least two excellent reasons 
why such a digression may seem useful or even necessary. 


First, the manipulation of examples plays a vital role in much of the theoretical work in the 
rewrite rule area. Before trying to prove a difficult conjecture one often spends some time 
looking for a counterexample. If one finds such a counterexample, it may indicate a useful 
way to "patch" the conjecture. At the very least, it spares one the trouble of trying to prove a 
false conjecture. If one doesn’t find a counterexample, an examination of why the examples 
tried were not counterexamples is often very helpful in constructing a proof of the validity of 
the conjecture. In a similar vein, one often develops new conjectures through the study of 
examples. It is sometimes possible to work these examples by hand, but doing so is generally 
too difficult to consider. The alternative of writing a program to experiment with an unproven 
idea is also usually seen as being prohibitively time-consuming. 


The second reason is that it is difficult to judge the utility of much of the work in this area. 
Decision procedures don’t exist for deciding most of the important questions about a rewrit- 
ing system; e.g., is it terminating, is it confluent, is this or that theorem in its theory, etc. 


12 


Chapter 1 Introduction 


Consequently, a great deal of effort has been devoted to the development of restricted 
classes of rewriting systems for which some questions are decidable, and to the development 
of semi-decision procedures for unrestricted sets of rewrite rules. The utility of such work 
often hinges on whether it deals with a significant subset of those sets of rules that arise in 
various applications. Even when a technique is in principle applicable to a wide class of 
rewriting systems, efficiency issues often arise. The worst case running time of many impor- 
tant procedures and algorithms is clearly prohibitive. This leads one to consider average case 
behavior. However, meaningful analytic results in this area can be exceedingly difficult to 
derive. One may have to consider such things as the number of rules, the size of the rules, the 
structure of the rules, etc. In many cases, a procedure’s primary use is as a subroutine of 
some other procedure, and its efficiency is most productively studied in a specialized context | 
established by the calling procedure. 


The difficulty of judging the utility of new procedures and algorithms leads one to attempt 
empirical evaluation. Unfortunately, it is usually impossible to conduct useful experiments by 
hand. One has the choice of either implementing one’s techniques and trying them on an 
appropriate data base of examples (which one will probably have to create), or merely 
speculating on the applicability of those techniques. Researchers in the field, confronted with 
the difficulty of doing the former, have almost invariably chosen the latter. 


REVE has been designed to help meet the above needs of both theoreticians and potential 
users of rewriting applications. We hope it can facilitate the conducting of experiments with 
rewriting systems, supply the primitives needed for automatic theorem proving, and provide a 
firm base upon which to bulld application programs. 


1.3 Overview of Thesis 


This thesis introduces the basic theory and procedures related to term rewriting, presents 
new results in automatic theorem proving using rewriting systems, and describes the design 
and implementation of REVE, which incorporates these results. Potential areas of future 
research and implementation are also indicated, and a complete description of REVE’s user 
commands is provided. 


During the course of completing a system, the Knuth-Bendix completion procedure uses a 
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reduction ordering to prove the termination of the rewriting system it constructs from the set 
of axioms. The choice of an appropriate ordering intimately depends on the particular axioms 
and the equations that get generated during the completion. psocess. In the past, most Knuth- 
Bendix implementations have required that the reductioo. asdering be given a priori, a sig- 
nificant impediment to automatic theorem proving. Lescanne’s REVE 1 introduced the impor- 
tant refinement of allowing, and helping, the user to dynamically extend the reduction order- 
ing to order equations as they are encountered. REVE 2 improves on this scheme with the 
use of automatic orderings, whose implementations automatically compute all of the possible 
valid extensions to the ordering that allow an unorderable equation to be ordered. Here, we 
review the most popular classes of reduction orderings, present a new class of orderings that 
is more powerful than most, and present the theoretical and implementation issues in making 
these orderings automatic. 


In addition, REVE 2 incorporates a new, "tailure-resistant" implementation of the Knuth- 
‘Bendix completion procedure, which has been designed with automatic theorem proving in 
mind. This implementation uses a fine-grained approach to automatic equation postpone- 
ment that categorizes equations based on the degree of difficulty they pose to the completion 
process. The Knuth-Bendix procedure is formulated as an ordered sequence of tasks 
designed to expedite the completion process and maximize the chances for successful ter- 
mination. The order of the tasks within the sequence can be easily modified to accomodate 
varying requirements. 


REVE is designed to be a practical, easy to use implementation of theoretical results pertain- 
ing to equational and inductive theorem proving using term rewriting. It has been carefully 
modularized and documented to facilitate understanding and use. REVE will have fulfilled its 
purpose if theoreticians can modify it to experiment with new results, and if software en- 
gineers can extend it for use in real wortd applications. 


The organization of the thesis progresses from theory to practice. Chapter 2 is an intro- 
duction to equational and inductive theories, and proving theorems using rewriting systems 
and Knuth-Bendix. Chapter 3 introduces automatic orderings and presents a procedure for 
automatically constructing terminating rewriting systems. Chapter 4 describes the design of 
REVE’s failure-resistant Knuth-Bendix implementation. Chapter 5 describes REVE itself: the 
user interface, example usage, and the program modules that comprise its CLU impiemen- 
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tation. Chapter 6 summarizes the thesis, highlights some possible areas of future work, and 


reflects on the engineering obstacles encountered in building REVE. The Appendix 


describes, in detail, each of the user commands provided in the current version of REVE. 
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Chapter Two 


Term Rewriting Systems and Proof Theory 


2.1 Introduction 


This chapter introduces equational theories, inductive theories, and term rewriting systems, 
as they pertain to REVE. We begin by defining notions related to terms and substitutions. We 
then discuss equational and inductive theories, and what it means to prove a theorem in each 
kind of theory. We describe term rewriting systems, and the process of rewriting. Two 
important properties of rewriting systems, termination and confluence, are characterized, and 
shown to provide a decision procedure for equational theories. We show how the Knuth- 
Bendix completion procedure can be used to generate such a decision procedure. Finally, 
we introduce inductionless induction, a technique that uses Knuth-Bendix to prove inductive 
theorems. Our development here takes an operational view of rewriting. See [Huet 80a] for a 
treatment using relations. 


2.2 Terms and Substitutions 


We assume a finite set of distinguishable symbols called operators. Examples of operators 
are + in arithmetic, concat in lists, and true in boolean. We also assume a disjoint set of 
distinguishable symbols called variables. 


A term is defined inductively as either (1) a variable, or (2) an operator and a sequence of 
terms. In the latter case, if f is the operator and ty, »» t, is the sequence of terms, the term is 
denoted (ty, vs ty) f is called the root operator, and the t, are called the arguments of the 
term. The number of arguments, n, is called the arity of f. Here, we assume that an operator's 
arity is fixed. When the root is binary (i.e., has arity 2), we often use the infix form, @.g., x+y, 
and use parentheses to resolve ambiguity. An operator with zero arity is called a constant. 
We will denote a constant by its name, with no accompanying parentheses. We use Tt) to 
denote the set of variables that occur in aterm t. When Nt) = {}, tis said to be a ground term. 
By convention, we will reserve the symbols u, v, ..., z for variables, so that variables and 
constants can be distinguished. 
16 
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The subterms of a term are the term itself and the subterms of its arguments. A subterm s 
within a term t can be designated by an occurrence, which is a sequence of positive integers 
denoting an access path in the term. We use A to denote the empty sequence. The 


occurrence set of aterm t, O(t), is the set of occurrences of all its subterms. Formally, 


O(t) = {A} if tis a variable or constant, 
O(t) = {A} U fi.9g]q € O(t);i = 1,...,9} ift = (ty, ot) 


For example, ift, = f(g(x), A(z) + 1, y), O(t,) = {A, 1, 1.1, 2, 2.1, 2.1.1, 2.2, 3}. lfq € O(f), t/q is 
the subterm of the term t at occurrence gq, defined by 


V/A = t, 
tliq = t/q ift = f(t,,..t,). 


For example, t,/2.1 = h(z). We use t[q+—s] to denote the term t with the subterm at occur- 
rence q replaced by the term s. Thus, t,[1 .1—h(v)] = fg(h(v)), A(z) + 1, y)). 


A substitution, o, is a mapping from variables to terms such that o(x) = x for ail but a finite 
number of variables. We can represent a substitution by a finite set of ordered pairs, denoted 
o = {x,+-1,, ... x,+-t,}. We extend the domain of a substitution to the set of all terms by 
defining 

o(f(t,, 1 t,)) = Ao(t,), .-. o(t,))- 
For example, if we have the substitution « = {x+h(v), z~-g(g(z)), yz} and the term t, = 
f(z, gly), v, h(x)), we can apply o to obtain o(f,) = f9(9(z)), g(2), v, h(A(v))). 


Two terms, s and t, are said to be unifiable if and only if there exists a substitution, o, such 
that o(s) = o(f). The substitution ¢ is called a unifier of s and t. For example, ifs = 
f(g(x), h{y)) and t = f(y, z), one of their unifiers iso, = {x+-4 + w, y—g(4 + w), 2—h(g(4 + w))}. 
For this unifier, o,(s) = 0,(t) = Kg(4+w), h(o(4+w))). Whenever two terms are unifiable, 
they have a most general unifier, mgu, such that every unifier contains mgu as a factor (in 
terms of functional composition). The most general unifier of two terms is unique, up to 
variable renaming. For s and t above, mgu = {y+g(x), z~—h(g(x))}. The unifier 0, above can 
be expressed as the functional composition 0, = o, ° mgu, where o, = {x+-4+w}. The 
unification of two terms, s and t, is mgu(s) (which is the same as mgu(t)) for their most general 
unifier, mgu. With s and t as above, f(g(x), h(g(x))) is their unification. 


Unification plays a central role in resolution theorem proving [Robinson 65] and logic pro- 
gramming [Kowalski 74]. We shall use unification in the context of the Knuth-Bendix comple- 
tion procedure, described in Section 2.6. Many algorithms to perform unification have been 
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proposed (e.g.,[Robinson 71] and [Baxter 73]), including those that run in linear-time 
[Paterson 78]. The algorithms in [Martelli 82] and [Corbin 83] are particularly fast in practice. 


A term, s, is said to match (or have the form of) a term, t, if and only if there exists a substitu- 
tion o such that s=o(t). When the domain of o is restricted to the set of variables in t, o is 
unique and is called the match of s by t. For example, s = f(g(h{y)), A(y)) has the form of 
t = f(g(x),x), and the match of s by t is 0 = {x+-h(y)}. Matching can be thought of as 
"one-way" unification, where unification is permitted in only one of the terms. 


2.3 Equations and Proof Theory 


2.3.1 Equational Theories 


- An equation is an undirected pair of terms, written s=tf. In equations, all variables are 
(implicitly) universally quantified. A ground instance of an equation, s=tf, is an equation, 
a(s) = o(t), that contains no variables, where o is some substitution. : 


We are interested in the equational theory, =, of a set of equations, &. The equational 
theory of & consists of the closure of & under the following rules of inference: reflexivity, 
symmetry, transitivity, universal instantiation, and replacement of equals for equals. We say 
that & is a set of axioms for = g: If an equation, s=1, isin = ¢, we say that s =f is an equational 
theorem (or equational consequence) of &, and we writes = gt 


Figure 2-1 presents a set of axioms for groups. Here, * is the binary operation, x7! denotes 
the inverse of x, and e is the identity. An example formal proof is given in Figure 2-2. Starting 
with the axioms, the rules of inference are used to prove that 

Qty ax (1) 
is an equational theorem. Note that the result of each proof step is itself an equational 
theorem. 


Note that the group axioms, as given in Figure 2-1, state that e is the left identity, but not that it 
is the right identity. However, during the course of proving Equation 1 in Figure 2-2, we show, 
in Step 16, that x°e = x is an equational consequence of the axioms. The generation of useful 
“temmas," such as this one, is also a by-product of the automatic theorem proving method in 
Section 2.6. 
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Figure 2-1: Axioms for Group Theory 


(1) e*x =x 
(2) x ley =e 


(3) (x*y)*z = x*(y*z) 


Figure 2-2: Proof of an Equational Theorem About Groups 


{1} e*x =x (axiom) 
[2] x texze (axiom) 
[3]  (xey)ez =x*(y*z) (axiom) 
# ie Reon e (apply o = apa } to or 
5] (Gy tex tex =x (insert [4] into [1 
[6] (ty tex )ex = ie x tex) (apply 0 = {x—(x")1, yx", zx} to [3)) 
[7] wey ex Vey = (x7!) 109 (insert [2] into [6]) 
[8] xy tee ax . (insert [7] into [5]) 
[9] ere =e (apply o = {x+-e} to [1]) 
{10} (x""y'*(e*e) =x (insert [9] into [8]) 
[11] (OY te)ve = (x-")"Te(e*@) (apply o = {x+—(x"')", ye, z~-#} to [3]) 
beer “elias 
[14] (0) tex"*)ex)oe =x (insert [6] into [13}) 
‘ a (e*x)°e =x (insert + shee - a 
16] x*e=x (insert [1] into [15 
117] Oty teen oct (apply o = {x+-(x"')"'} to [16]) 
[18] Octy tax | (insert [8} into [17]) 


Most equational proofs, such as the one in Figure 2-2, are tedious and time-consuming to 
construct by hand. However, the myriad details in this style of proof are well-suited to 
automation. 
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2.3.2 Inductive Theories 


Although "equational theory" is a useful notion in the context of algebraic structures like 
groups, it is less useful in the context of abstract data types. Consider the set of axioms about 
lists shown in Figure 2-3. These axioms presume that lists are built from the operators nuil (a 
constant) and cons, where nu// denotes the empty list, and where the first argument to cons is 
a list element and the second argument is a list. (For convenience, we use "list" here to mean 
a term that denotes a list.) The axioms describe concat, which concatenates two lists, and 


reverse, which reverses a list, in terms of nu/f and cons. The equation 
reverse(concat(cons(x, cons(y, null)), cons({z, null))) = cons(z, cons(y, cons(x, null))) 


is an equational theorem of these axioms. However, most interesting and generally- 


applicable fist theorems are not in the equational theory; e.g., 
reverse(reverse(x)) =x (2) 


Figure 2-3: Axioms About the Theory of Lists 


(1) concat(null, x) = x 
(2) concat(cons(x, y), 2) = cons(x, concatty, z)) 
(3) reverse(null) = null 


(4) reverse(cons(x, y)) = concat(reverse(y), cons(x, nuil)) 


Nevertheless, Equation 2 is a theorem, in the sense that every ground instance of Equation 
2 that consists only of the operators in the axioms of Figure 2-3 is an equational theorem of 
those axioms. The inductive theory of a set of axioms consists of their equational theory, plus 
all equations for which all ground instances are in the equational theory*. We will refer to the 
equations in the inductive theory as inductive theorems. Below, we show that Equation 2 is 


an inductive theorem of lists. 


The "inductive theory" is so named because we ordinarily prove inductive theorems using 
data type induction. This typically proceeds as follows: One designates certain operators as 


‘The initial algebra is a model of the inductive theory. 
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constructors of the data type of interest. One then shows that each ground term of that type 
is equivalent to at least one ground term consisting only of constructors; one usually proves 
this using induction on the structure of ground terms. if the latter property holds, the type is 
said to be fully specitied® [Musser 80b]. Then, to prove an inductive theorem (again using 
structural! induction), one need only show that the theorem holds for all ground terms consist- 


ing solely of constructors of the type. 


Consider the constructors for lists. It can be shown that all ground terms constructable using 
the operators in Figure 2-3 can also be built using only cons and null. (We omit this proof 
here.) We designate cons and null to be the list constructors. Given the choice of operators 
in Figure 2-3, we have chosen the only minima! constructor set. In general, however, the 
minimal set will not always be unique. For example, if we define another operator, append, 
that appends an element to the right end of a list, {cons, null} and {append, null} serve 
equally well as minimal constructor sets, since any list can be constructed using the construc- 
tors in either set. 


Having selected the constructor set {nu//, cons}, and proved (or asserted) that lists are fully 
specified with respect to these constructors, one may proceed to prove an inductive theorem. 


We first present a theorem that will be useful in our proof of Equation 2: 
reverse(concat(x, cons(u, null))) = cons(u, reverse(x)) (3) 


A proof of this equation is given in Figure 2-4. In the proof, we induct over the number of 
elements in the list denoted by x; i.e., over the number of occurrences of cons in x. The basis 
step proves the theorem for lists with zero elements (i.e., nui/ lists). The induction step 
assumes the induction hypothesis holds for lists of length n (we denote such lists by s), and 
proves the theorem for lists of length n + 1 (denoted by cons(v, s), where v is any list element). 
In this way, we prove the theorem for all lists, since any list can be constructed using nui! and 
cons. Using Equation 3 as a theorem, Figure 2-5 proves that Equation 2 is an inductive 
theorem of lists. Note that, except for the induction principle, a formal inductive proof uses 
the same rules of inference as in equational proofs. 


Like equationail proofs, proving inductive theorems is typically time-consuming. These proofs 
“by hand" also require creativity and trial-and-error to discover which inductive lemmas 


SThe notion of full specification is closely related to that of sufficient completeness [Guttag 78a). 
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Figure 2-4: Proof of an Inductive Lemma About Lists 


[1}  concat(null, x) =x (axiom) 
[2] concat(cons(u, x), y) = cons(u, concat(x, y)) (axiom) 
{3] reverse(nuill) = null (axiom) 
[4] reverse(cons(u, x)) = concat(reverse(x), cons(u, null)) (axiom) 


Basis step: Show that the theorem holds for the list nui. 
[5] reverse(cons(u, null)) = concat(reverse(null), cons(u, null)) (apply o = {x+—nuil} to [4]) 
[6] concat(null, cons{u, null)) = cons(u, null) (apply o = {x—cons(u, null)} to [1]) 
[7] reverse(concat(null, cons(u, null))) = concat(reverse(null), cons(u, null)) 
(insert [6] into [5]) 


[8] reverse(concat(null, cons(u, null))) = concat(null, cons(u, null)) (insert [3] into [7]) 
[9] reverse(concat(null, cons(u, null))) = cons(u, null) (insert [6] into [8]) 
[10] reverse(concat(null, cons(u, nul/))) = cons(u, reverse(null)) {insert [3] into [9]) 


Induction step: Assume the theorem holds for the list s. Show that it holds for the list 
cons(v, $). 
[11] concat(cons(u, reverse(s)), cons(v, null)) = cons(u, concat(reverse(s), cons(v, nuil))) 
(apply o = {x+-reverse(s), y—cons(v, null)} to [2]) 
[12] reverse(cons(v, s)) = concat(reverse(s), cons(v, null)) (apply o = {x+—s, uv} to [4]) 
[13] concat(cons(u, reverse(s)), cons(v, null)) = cons(u, reverse(cons(v, 5))) 
(insert [12] into [11]) 
[14] concat(reverse(concat(s, cons(u, null))), cons(v, null)) = cons(u, reverse(cons(v, $))) 
(insert induction hypothesis into [13]) 
[15] reverse(cons(v, concat(s, cons(u, null)))) = 
concat(reverse(concat(s, cons(u, null))), cons(v, null)) 
(apply o = {ue—v, x-—concat(s, cons(u, nuil))} to [4]) 
[16] reverse(cons(v, concat(s, cons(u, nuill)))) = cons(u, reverse(cons(v, s))) 
(insert [15] into [14]) 
[17] concat(cons(v, s), cons(u, null)) = cons(v, concat(s, cons(u, null))) 
(apply o = {u+—v, ye—cons(u, null), x+~s} to [2]) 
[18] reverse(concat(cons(v, s), cons(u, nuill))) = cons(u, reverse(cons(v, s))) 
{insert [17] into [16]) 


Conclude: 
[19] reverse(concat(x, cons(u, null))) = cons(u, reverse(x)) 
({10], [18], and induction principle) 
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Figure 2-5: Proof of an Inductive Theorem About Lists 


We will use the fact that Equation 2-4 is an inductive theorem. 


[1] concat(null, x) =x (axiom) 
[2] concat(cons(u, x), y) = cons(u, concat(x, y)) (axiom) 
[3] reverse(null) = null (axiom) 
[4] reverse(cons(u, x)) = concat(reverse(x), cons(u, nuil)) (axiom) 


Basis step: Show that the theorem holds for the list nu//. 
[5] reverse(reverse(null)) = null (insert [3] into [3]) 


induction step: Assume the theorem holds for the list s. Show that it holds for the list 
const(u, s). 
[6] reverse(concat(reverse(s), cons(u, null))) = cons(u, reverse(reverse(s))) 
(apply o = {x+--reverse(s)} to Equation 2-4) 
[7] reverse(concat(reverse(s), cons(u, null))) = cons(u, s) 
(insert induction hypothesis into [6}) 


[8] reverse(cons(u, s)) = concat(reverse(s), cons(u, null)) (apply o = {x+-s} to [4]) 

[9] reverse(reverse(cons(u, s)) = coris(u, s) (insert [8] into [7]) 
Conclude: 

[10] reverse(reverse(x)) =x ([5], [9], and induction principle) 


should be proven before attempting to show the main theorem. In Section 2.7, we present a 
radically different, automatic method that can, in many cases, decide the validity or invalidity 
of equations with respect to the inductive theory. When applied to the problem of proving 
Equation 2, the method automatically “discovers” Equation 3 and proves it to be a theorem 
before proving Equation 2. 


2.4 Term Rewriting Systems 


Term rewriting systems are an important means for proving theorems in equational and induc- 
tive theories, and this is the use that concerns us here. Their mathematical properties also 
make them attractive as a model of computation; see [Dershowitz 83a] and [Goguen 79] for 
examples of these applications. 


A rewrite rule (or, just rule) is a directed pair of terms, written A-+p, such that every variable 
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that occurs in p also occurs in A. One may reduce (or rewrite) a term t using a rewrite rule 
Ap if there is an occurrence q € O(t) such that t/q matches A. The reduced (rewritten) form 
of t is t{q+-o(p)], where o is the match of t/q by A. For example, if we have (Ap) = 
f(gly, y), x)-g(x, x) andt = f(f(g{a, a), h{y)), z), t/1 matches A, o = {y+—a, x+h(y)}, and tis 
reduced to f(g(h(y), A{y)), z). In this example, we can again use A—+p to reduce the resulting 
term and obtain g(z, z). 


A term rewriting system (or, just rewriting system) % is a finite set of rewrite rules. We write 
Sat if and only if s can be reduced to t using one of the rewrite rules in ‘% exactly once. 
The % subscript on — will be omitted when % is clear from context. The notation s +g t 
means that f can be obtained from s by applying rules from % zero or more times. We say that 
two terms s and s’ are joinable if and only if there exists a term t such that s —* t and s’ —+* t. 
When there exist zero or more terms s,, ..., , such that t@s,7...2s, zt’, where = denotes 
(—+ or +-), we write t ++g t'. For example, with % = {a—+b, g(a, x)—+f(x, x)}, we have f(a, a) 
++* g(b, b), since f(a, a) + f(a, b) + f(b, b) — ofa, b) + gb, b). 


The equational theory of a rewriting system %, denoted =, is the equational theory of % 
when viewed as a set of equations. We can obtain a rewriting system % from a set of 
equations & using the following technique, suggested in [Knuth 70] and [Huet 80a]: For every 
equation s =t in &, choose nondeterministically one of the following: 


(1) If Ns) € Nt), put t-+s in BK. 
(2) If %t) C Ns), put sorin ®. 
(3) Let-X = Ys) N Nt) = {x,, de x} Introduce a new operator f that does not 
appear in & or %, and put the two rules SHACK 44 0-1 X,) AND t-—48(X,,..4) X,) into R. 
The resulting rewriting system % will have the same equational theory as ©, except for the 
possible presence of new operators. If either of the first two actions above applies to s =, we 
say that the equation is compatible. if only the third action applies, we say it is incompatible. 


We will refer to the third action above as dividing an equation. Any equation may be divided, 
because since s=1 holds for all substitutions, its validity is independent of the values of 
variables not in X. Because the choice of action is nondeterministic, there may be more than 
one action that could apply to a given equation. For example, if an equation in § can be 
viewed as a rewrite rule in both directions, it can be placed into % either way, or it can be 
divided. 


24 


Chapter 2 Term Rewriting Systems and Proof Theory 


We have seen that one can generate a rewriting system, %, from a set of axioms, &, such that 
S=el if and only if s =q ! for all terms s and t. It can be easily shown thats = ot if and only 
ifs Hd t. Thus, if we have a decision procedure for +a, we have a decision procedure for 
the equational theory of &. The next section describes two properties that, if they hold for %, 


let us decide Og: 


2.5 Termination and Confluence 


We say that a rewriting system, %, terminates (or that it is noetherian, finitely terminating, or 
uniformly terminating) if and only if there is no term ty for which there exists an infinite 
sequence of reductions t, + t, + tz —... A term is irreducible if and only if it cannot be 
reduced by %. If % terminates, any term, t, has at least one normal form, defined to be an 
irreducible term, t], such that t—+* t]. The rewriting system % = {((x + y) +z)—(x + (y +z))} 
terminates. However, the rewriting system & = {(x+y) — (y+x)} does not terminate, be- 


cause we have (a + b) — (b+a) — (a+b)—.... 


It is undecidable whether an arbitrary rewriting system terminates [Huet 78]. However, a 
number of methods have been proposed that prove termination in particular cases (see 
[Iturriaga 67], [Knuth 70], [Manna 70], [Lankford 75a], [Lipton 77], [Plaisted 78a], [Plaisted 
78b], [Dershowitz 79a], [Lankford 79a], [Dershowitz 82a], [Guttag 83a], [Jouannaud 82a)). 
The most popular method, employed in REVE and described in Chapter 3, uses a reduction 
ordering, defined to be any well-founded partial ordering, >, on terms, such that s > t => 
f(...8...) > f(...t..) and a(s) > a(t) for any terms f(...s...) and f(...t...) and any substitution o 
[Manna 70]. The termination proof consists of showing that A > p for every rule, A, in %. 


Another important property for term rewriting systems is confluence. A rewriting system, %, is 
confluent (or uniformly confluent or Church-Rosser) if and only if, for all terms t, s, and s’, t 
—* s and t —* s’ implies s and s’ are joinable. % is said to be convergent (or canonical or 


complete) if it is both terminating and confiuent. 


When a rewriting system is confluent, the normal form of any term is unique, when the normal 
form exists. A sufficient condition for the existence of such a canonical form is the termina- 
tion of all rewritings. Thus, for convergent rewriting systems, %, every term has a unique 
normal form. Furthermore, 4 *, and hence =q (see the last section), is decidable when % is 
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convergent: (s =, ¢) if and only if (s ++* t) if and only if (s| = tl). To test whether s = ft, 
one can reduce both terms to normal form (by applying arbitrary reductions) and then check 
whether the normal forms are identical. Since % terminates, this procedure is effective; 
reductions cannot continue indefinitely. The property af confluence is undecidable for an 
arbitrary term rewriting system, %. However, we will now see that one can decide confluence 


when & terminates. 


A rewriting system, %, is locally confluent if and only if, for all terms ft, s, and s’, t +s and t 
s’ implies s and s’ are joinable. The definitions of confluence and local confluence differ in 
the number of reductions of t permitted to obtain s and s’. Note that confluence implies local 
confluence. The converse is not necessarily true. For instance, % = {a— b,a—c,b— a, 
b —+ @} is locally confluent, even though a has two distinct norma! forms, c and d. However, 
the following theorem is proved in [Newman 42]: 


Theorem 1. A terminating rewriting system, %, is confluent if and only if it is locally con- 
fluent. 


Similar “diamond lemmas" have been shown in [Knuth 70] and [Huet 80b]. It is difficult to test 
for local confluence as defined, since the definition quantifies over all terms. Theorem 1 is of 
interest to us only if it is easier to decide local confluence than confluence. This is indeed the 
case. We need the following definitions. 


Two terms are said to overlap if and only if one is unifiable with a nonvariable subterm of the 
other, and the two terms share no variables. The superposition of two overlapping terms is 
the corresponding unification of one term and a subterm of the other term. To superpose two 
rewrite rules is to compute all of the superpositions between their left-hand sides. Let A,—p, 
and Ay Py be two rules in a rewriting system % such that A, and A, overlap at occurrence q 
in A,, and let o be the most general unifier of A,/q and A,. (We assume that variables have 
been renamed to alleviate sharing between the rules.) The critica! pair associated with this 
overlap is (o(A,[q+~p,]), o(p,)). It consists of the two reductions of o({A,) by the two rules. 
intuitively, a critical pair captures the way in which two rewrite rules might be used to rewrite a 
term into two different terms. For example, consider the two rules f(x, g(x, h{y))) — k(x, y) and 
g(a, z) + m(z). We can superpose the first rule at occurrence 2 with the second one, using 
the most general unifier {x--a, z-—h(y)}, to obtain the critical pair (f(a, m(h(y))), k(a, y)). We 
will write a critical pair, (s, t), as an equation, s =f. 
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For a finite rewriting system %, there are finitely many critical pairs. They can be effectively 
computed with the use of a unification algorithm. Their utility is apparent in the following 


theorem. 


Theorem 2. Arewriting system, %, is locally confluent if and only if every critical pair in % is 


joinable. 


The original version of this theorem is presented in [Knuth 70], where it is used in conjunction 
with Theorem 1. Our statement of the theorem is from [Huet 80b], and does not require 
termination. 


Combining Theorems 1 and 2 gives us a decision procedure for the confluence of terminating 
rewriting systems. The usefulness of convergent rewriting systems has already been argued. 
Note the dual importance of termination: it permits the use of Theorem 2 as a test for the 
confluence of a rewriting system %, and helps us decide —@ (and = oy), when % is confluent, 
by alleviating infinite reductions. In some cases, a terminating, non-confiuent rewriting sys- 
tem can be "completed " to produce a convergent rewriting system having the same equa- 
tional theory. This is the subject of the next section. 


2.6 The Knuth-Bendix Completion Procedure 


Suppose we have a rewriting system %, and a reduction ordering, >, such that A > 9 for all 
rules, Ap, in %. By Theorem 2, we may test for local confiuence by checking that all critical 
pairs are joinable. The two terms comprising a critical pair, s=f, are merely the result of 
reducing a single term by two different rewrite rules in %, after applying a substitution. 
Consequently, s=t is in =, and s—tf or t-+s may be added to % without changing =a. 
Furthermore, if the two sides of the added rule are ordered under > in the appropriate 
direction, the termination of % is preserved. Thus, if the local confiuence test fails, i.e., if a 
non-joinable critical pair is found, and the critical pair is orderable, we may add the critical 
pair to %, and test again for local confluence. If this process eventually causes % to be locally 
confluent, and no unorderable critical pairs were found, the resulting rewriting system is 
convergent, and has the same equational theory as the original. 


The above method for "completing" %& is the basis for the Knuth-Bendix completion 
procedure. The procedure, as originally described in [Knuth 70], is given in Figure 2-7. It 
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incorporates the additional refinement that all rewrite rules are kept in normal form, for 
reasons of efficiency. In this figure, repeat means “go to the first statement of the smallest 
enclosing loop." Figure 2-7 makes use of the functions in Figure 2-6. The initial input to the 
procedure is a reduction ordering, >, and a (finite) rewriting system &, where V A-+p € BR: 
A > p. Later formulations of Knuth-Bendix accept equations as input and explicitly order 
these original equations into rules using >-. REVE’s implementation of Knuth-Bendix is 
described in Chapter 4. 


Figure 2-6: Auxiliary Functions Used by Figure 2-7 


Normal(t, R) = A normal form of the term t with respect to the rewriting system R 
Unorderable(s = t) = (s > t) and (t > s) 
Order(s =?) -= ifs >tthen s—st else ts 


CriticalPairs(r, r') = All critical pairs between the rules r and r’ 


In looking for a decision procedure for an equational theory, =~, using Knuth-Bendix, one. 
first selects a reduction ordering, >, and constructs a rewriting system, %, that consists of 
the axioms in &, ordered, such that A > p for every rule, Ap, in ‘%. One then executes the 
procedure in Figure 2-7. Knuth-Bendix is not an algorithm, in that it may halt in "failure" if the 
two sides of a rule are not orderable, or fail to terminate because it may generate an infinite 
set of rules. Consequently, any practical implementation needs to provide a means for stop- 
ping the main loop, perhaps by setting a limit on the number of iterations. 


When >- is unable to order the two sides of a rewrite rule, it is either because > is not general 
enough to show that % terminates, or the rule is inherently non-terminating (e.g., x + yy + x). 
This is one of the major drawbacks of Knuth-Bendix as presented here: it does not apply to 
theories containing such (useful) permutative equations. The procedure can be extended, 
however, to work with certain equationa! theories with permutative axioms; see Section 
6.2.4.3 for an overview of these results. | 


The Knuth-Bendix procedure has been successfully used on a number of interesting axiom 
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Figure 2-7: Description of the Original Knuth-Bendix Completion Procedure 


Complete the initial system K: 
loop 


Find non-joinable critical pair: 
for each Ap in & do 
for each y—2 in & do 
for each s =1 in CriticalPairs(A—p, y+) do 
s':= Normal(s, %); t':= Normal(t, %) 
if s' # t' then goto Order equation endif 
endfor 
endfor 
endfor 
halt with success 


Order equation: 

if Unorderable(s’ = t') then halt with failure endif 
(A-+p):= Order(s’ =f’) 

R= RU {Ap} 


Normalize rewriting system: 

for each yp in % do 
y':= Normal(y, %); p’: = Normal(p, %) 
if (y = y') and (u = p’) then repeat endif 
if Unorderable(y’ = »') then halt with failure endif 
BR: = (KR ~-{y—p}) U {Order(y' = p')} 

endfor 

endioop. 


sets. One easy example is the central groupoid [Evans 67], which consists of one binary 
operator, *, and the single axiom 

(1) (xe y)*(yez)ey 
As shown by REVE, and indicated in [Knuth 70] and [Hullot 80a], the completed rewriting 
system consists of the above equation (ordered) plus the following two rewrite rules: 

(2) (x * (x * y) * Zz) * y) 

(3) (x * (y * z)) *z)>(y °z) 
This example can also be easily worked by hand. The latter two rules are the two critical pairs 
that result from overlapping the first axiom with itself. 
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A particularly interesting, and often referenced, examole of an axiom oot completable by 
Knuth-Bendix is. group theory, as defined in Figure 2-1 on Page 12. ‘Knuth-Bendix produces 
_ the convergent rewriting system shown in Figure 2-8, {There may be more then one conver: 
gent rewriting system corsepending to a set of exigms. Knetiflendix produces a different 
rewrting eytem for hie examete te Hird equation in Figure 3-1 i ordered inthe reveree 


theorem 71)" =X, which we proved by hand in Figure 22, eS 
in Figuee 2-8. 


()e exer 
- f@)xthe xe 

(3) Ox * y) * zs0x © yz) 

rte (exper 

(5) o7'-+e 

©) Oty ox 

(1) x° ex 
Grete 
-@xeort *inwe 
(10) x yf tay to yo! 


To prove, for example, the equational theorem 

octeytytaysgrteeyt | | (4) 
wing tn rurting seam in Figure 2, we redian he iend so of te aquaton i 
normal form: 
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octe ytyt 


tye octy (apply Rule 10) 
yey (apply Rule 6) 
y°x (apply Rule 6 again) 


and the right-hand side to normal form: 


ye(x't sey" 

ye(eteay?) (apply Rule 10) 
ye(es(x')y) (apply Rule 5) 
yey" (apply Rute 1) 
y*x . (apply Rule 6) 


and note that the two normal forms are identical. If the normal forms were not identical, 
Equation 4 would not be an equational theorem of groups. See [Hullot 80a] for other ex- 
amples of convergent rewriting systems. 


In addition to its use as a means of obtaining decision procedures for equational theories, 
Knuth-Bendix may be used, among other purposes, to prove theorems by refutation [Hsiang 
82]; to perform “meta-unification" in certain equational theories [Fay 79, Lankford 79b, Hullot 
80b]; to interpret, verify, and synthesize "rewrite programs" [Dershowitz 83a]; and to compute 
the congruence closure of a finite set of ground equations [Lankford 75b]. See [Dershowitz 
83b] for a survey of these applications. It was announced in [Butler 80] and proven in 
[Dershowitz 82b} that, for a given reduction ordering >, there is at most one convergent 
rewriting system corresponding to an equational theory. Thus, Knuth-Bendix may sometimes 
be used to prove that two different axioms sets have the same equational theory, by compiet- 
ing the two sets and comparing the resulting rewriting systems for equality (modulo variable 
renaming). Knuth-Bendix may also be used to prove inductive theorems, as explained in the 
next section. 


2.7 Inductionless Induction 


Musser [Musser 80b] first suggested using Knuth-Bendix to prove theorems in the inductive 
theory of a set of equations, as an alternative to performing explicit induction by hand. This 
idea, dubbed inductionless induction by Lankford, was extended and/or simplified in 
[Goguen 80], [Huet 80a], [Huet 82], [Lankford 81], [Dershowitz 83b], and [Kapur 84b]. We 
present here the method of Huet-Hullot [Huet 82], and interpret it in the context of the follow- 


ing theorem: 
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Theorem 3. [Dershowitz 83b] Let & be a convergent rewriting system for a set of axioms, &, 
where > is a reduction ordering used to establish the termination of R. Let GR be the set of 
irreducible ground terms in %. Let 36 be a set of equations to be shown as inductive 
theorems. An equation in 36 is not valid in the inductive theory of & if and only if running 
Knuth-Bendix on % U 36 with > results in a rule with a left-hand side that has an instance in 
9%. This, provided the procedure does not terminate in “failure.” 


This suggests the following method for proving that the equations in % are valid in the induc- 
tive theory of &: Complete & using Knuth-Bendix. Add the equations in 3 to the system and 
continue the completion process. If an instance of a term in G& appears on the left-hand side 
of a rule, some equation in 36 is not valid in &. if this does not occur, and Knuth-Bendix 
completes successfully, all of the equations in 36 are inductive theorems in &. If Knuth-Bendix 
terminates in "failure" or generates an infinite set of rules, the method gives us no information 
about the validity of the 36 equations in &. The main difficuity in this scheme is determining 
GR from a given %. The remainder of this section presents the Huet-Hullot approach to this 
problem. 


Let € denote a chosen set of operators found in &. We refer to these operators as 
HH-constructors. Let G& denote all ground terms consisting only of operators found in &, and 
GC denote atl ground terms consisting only of operators in the set C. Before running Knuth- 
Bendix on % U 3, one checks that % satisfies the principle of definition: every term in §§& is 
&-congruent to exactly one term in §C. This check is difficult (indeed, undecidable) because 
both G& and GC are often infinite. 


The Knuth-Bendix procedure is modified so that when it considers an equation, s =f, where 
the normal form, s’, of s is not identical to the normal form, t’, of f, the algorithm in Figure 2-9 is 
executed. The first case in the algorithm is an optimization, valid when the principle of 
definition holds, that divides s=t into several smaller equations to assist in the successful 
completion of Knuth-Bendix. The second, third, and fourth cases in the algorithm ensure that 
distinct terms in GC are not reducible to one another. The last two cases guarantee that the 
terms in GC are less, under >, than all other terms in G&. Thus, when % satisfies the principle 
of definition, the last five cases together ensure that 9C consists precisely of the irreducible 
ground terms in %, so GC is the set GR that we seek. Furthermore, the algorithm will halt with 
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"pseudo-inconsistency"® if and only if a rule would be generated whose left-hand side has an 
instance in GC. The principle of definition and Figure 2-9 together imply the conditions 
required by Theorem 3. REVE incorporates Figure 2-9 into Knuth-Bendix, but does not cur- 
rently provide support for checking the principle of definition. This is undecidable in general, 
but efforts are underway to incorporate a useful check for sufficient conditions (see Section 
6.2.4.5). 


Figure 2-9: Huet and Hullot's Inductionless Induction Modification to Knuth-Bendix 


case 
s' = f(s, S,) and t'= f(t,, 1 t,), with FEC: &:= (6 - {s' = t'}) U {s,=t,}; repeat 
s' = f(...) and t’ is a variable, with f € C: halt with pseudo-inconsistency 
s' is a variable and ft’ = ¢(...), with? GC: halt with pseudo-inconsistency 
s' = f(...)andt’ = g(...), witht GC, g EC, and f # g: halt with pseudo-inconsistency 
s' = f(...)andt’ = 9(...), with E C,g ¢ C, and s’ > #’: halt with failure 
s’ = f(...)andt’ = g(...), with f ¢ C,g EC, and t' > s’: halt with failure 

endcase | 


As an example, consider using inductioniess induction to prove inductive theorems in the 
theory of lists, as defined in Figure 2-3 on Page 20. We first use Knuth-Bendix to complete the 
list axioms’, given a suitable reduction ordering, >. Here, Knuth-Bendix finds no non- 
joinable critical pairs, so the resulting rewriting system % just consists of the equations in 
Figure 2-3, ordered. We then designate nu// and cons as the HH-constructors, and check that 
% satisfies the principle of definition. The principle does hold for R, since all ground terms 
are irreducible, and §& = QC in this example. We then continue running Knuth-Bendix on %, 
together with the set 36 consisting, say, only of Equation 2 on Page 20. Knuth-Bendix will 
_complete successfully in this case, and happens to produce Equation 3 on Page 21 as a 
critical pair that appears in the final convergent rewriting system. Note that Equation 3 is not 


Si, [Huet 82], the authors use the word “disproof" rather than "pseudo-inconsistency." 


Tn the Huet-Hullot approach, # & itself satisties the principle of definition, it is not strictly necessary that one first 
run Knuth-Bendix on & before adding the equations in 36. In practice, however, It ia customary to run Knuth-Bendix 
first. The principle of definition is easier to check for a convergent rewriting system than for an arbitrary set of 
equations. 
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in the equational theory of the original list axioms, but it is in the equation theory of the list 
axioms plus Equation 2. Because Knuth-Bendix does not halt with "failure" or "pseudo- 
inconsistency" in this case, we conclude that Equation 2 (and Equation 3) are in the inductive 
theory of the original list equations. These theorems may, in turn, allow us to prove other 


inductive theorems. (For further examples, see Section 5.3.) 


Chapter Three 


Automatic Construction of 
Terminating Rewriting Systems 


3.1 Introduction 


In this chapter, we present a new, totally automatic method for constructing a rewriting sys- 
tem from a set of equations, and proving that the rewriting system terminates. Previous 
techniques have either required user help in guiding the proof, or have been too restrictive to 
be generally applicable. The ability to prove termination automatically is an important require- 
ment in applications where the theorem prover is to be embedded in a larger program, espe- 
cially when term rewriting is not the principal function of that program. In most such 
programs, it would be inappropriate to expect users to be sufficiently fluent in rewriting sys- 
tem termination techniques to assist in the termination proof. 


Termination is undecidable. Nevertheless, we are often interested in whether a rewriting 
system, %, terminates, because (see Section 2.5): 

e Termination allows one to decide whether % is confluent. 

e If % is confluent, termination allows one to decide =. 

e If Ris not confluent, termination allows the use of the Knuth-Bendix completion 

procedure to help achieve confluence. 

Knuth-Bendix, as part of the completion process, constructs a terminating rewriting system 
from a set of equations with the use of a reduction ordering, >. The construction process 
consists of showing that every equation can be ordered, in one direction or the other, into a 
rewrite rule, Ap, such that A > p. These ordered rewrite rules comprise %, and > proves 
that % terminates. 


In the context of Knuth-Bendix, the problem of ensuring that % terminates reduces to the 
problem of choosing an appropriate reduction ordering, >, if such an ordering can be found 
for the example at hand. In particular, constructing % in an automatic fashion consists of 
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automatically finding >. Selecting > based on a static analysis of the equations is not 
sufficient, because the set of equations grows during the completion process. The selection 
of > must proceed dynamically: whenever an equation is encountered that cannot be or- 
dered by >, > must be extended (if possible) so that it can order the new equation and also 
order all previously-ordered equations. This idea was pioneered by Lescanne in REVE 1 
[Lescanne 83a]. In this chapter, we present an automatic, dynamic procedure for extending 
>, so that the construction of % and its proof of termination proceed automatically. The 


procedure is sufficiently general to be effective in a wide variety of practical applications. 


The remainder of this chapter presents the theoretical justification and algorithmic methods 
supporting the automatic procedure for extending >. Section 3.2 presents the basic defini- 
tions and theory behind the use of orderings in constructing terminating rewriting systems. 
Section 3.3 describes and generalizes some popular classes of orderings. Section 
3.4 introduces a new class of orderings that is more powerful than most other known classes 
of orderings for termination proofs. Section 3.5 presents methods for dynamically extending 
these orderings. Finally, Section 3.6 describes the automatic extension procedure itself. 
Sections 3.2 and 3.6 may be read independently of the other three, to obtain an overview of 
the scheme for automatically constructing terminating rewriting systems, while skipping the 
details of the orderings themselves. 


3.2 Ordering Definitions and Properties 


3.2.1 Relations, Relationals, Mappings, and Orderings 


This chapter is concerned with various binary relations. A binary relation, p, is a set of 
ordered pairs of elements belonging to a base set, S. The notation s g t means (s, t)E gp. A 
relation, p,, is an extension of another relation, ,, if and only if p, 2 y,. The extension is 


strict if and only if the containment is proper. 


A relation pair is inductively defined to be a pair, (P4:Po): where , and 9, are either relations 
or relation pairs. The base set of (p,,@,) is the union of the base sets of p, and y,. A relation 
pair, (p,,P,), is empty if and only if both p, and p, are empty. We say that (p,,@,) is an 
extension of (p{,9,) if and only if p, is an extension of @,, and 9, is an extension of y,. The 
extension is strict if and only if either of the constituent extensions is strict. 


36 


Chapter 3 Automatic Construction of Terminating Rewriting Systems 


A relational is a relation that is parameterized on another relation or relation pair. If ® is a 
relational on ~, ® is monotonic in g if and only if extending @ extends ®[q]. An instantiation 
of ® is any relation ®[p] where © is defined on @. If ©, and ©, are both relationals on p, we 
say that ®, is an extension of ®, if and only if ©,[p] 2 %,[¢] with any @ for which ®, is 
defined. The extension is strict if and only if the containment is proper. We will usually just 
write the name of the relational, say ®, rather than O[@], since @ will usually be clear from 
context. 


Given a domain set, D, and a range set, R, a (partial) mapping, p, from D to A is a binary 
relation with base set D U A, where p(d) = 1 (i.e., d p r) only if d € D, r € A, and, for every 
d & D, there is at most one r satisfying p(d) = r. The mapping p is total if and only if there is 
exactly one such r for every d. We say that p is tota/ over T if it is total when its base set is 
restricted to T. 


A quasi ordering, >, is a transitive, reflexive binary relation. The notation s ~ t means (s >- t 


and t > s), and s 7 t means (s, t) ¢ >-. We say that s and t are comparable under >- if and 
only ifs >- tort > s. 


A partial ordering, >, is a transitive, irreflexive binary relation. The notation s 7 t means (s, t) 
¢ >. We can obtain a partial ordering, >, from a quasi ordering, >, by defining s > ¢ if and 
only if (s >- t and t 3 s). We say that a partial ordering, >, is well-founded if and only if it 
admits no infinite descending sequences s, > 8, > S, >... of elements in its base set. An 
ordering is any quasi or partial ordering. 


3.2.2 Simplification Orderings 

[Dershowitz 82a] introduced a general class of partial orderings on terms, known as 
simplification orderings, and showed that simplification orderings can be straightforwardly 
used to prove the termination of rewriting systems. 


Definition 4. A partial ordering, >, on terms is a simplification ordering if it possesses the 
following two properties: ; 


Compatibility: S>t => f(...8...) > f(t...) 
Subterm: f{...t...) > t 


for any terms s, t, f(...S...), and f(...f...). 
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Theorem 5. [Dershowitz 82a] A term rewriting system, %, terminates if there exists a 
simplification ordering, >, such that o(s) > o(t) for all substitutions o and all rules st in %. 


Every simplification ordering > considered here is stab/e; i.e., s > t implies o(s) > o(t), for all 
terms s and t, and all substitutions o. Consequently, we may use a variant of the above 
theorem that is slightly less general. 


Theorem 6. _ A term rewriting system, %, terminates if there exists a stable simplification 


ordering, >, such that s > t for all rules s—+t in %. 


In the last chapter, we indicated that Knuth-Bendix uses reduction orderings to prove termina- 
tion. Theorem 6 indicates that stable simplification orderings can be used instead. Stable 
simplification orderings are different from reduction orderings, because stable simplification 
orderings are not necessarily well-founded, and reduction orderings do not necessarily have 
the subterm property. However, [Dershowitz 82a] showed that when the base sets of the 
orderings are restricted to terms over a finite set of operators, such as the terms that comprise 
a (finite) rewriting system, these two classes of orderings are the same. The notion of 
simplification ordering was introduced because it is usually much easier to show that an 
ordering is a simplification ordering than to show it is a reduction ordering. In applications 
other than termination proofs, when a well-founded ordering is needed for terms over an 
infinite set of operators, one must separately show the well-foundedness of the simplification 
ordering. See [Dershowitz 83c] for techniques in constructing well-founded orderings, and 
for an overview of most known classes of simplification orderings, including some of those 
discussed here. 


3.2.3 Registered and Automatic Orderings 


Most classes of simplification orderings in popular use can be viewed as what we will call 
registered orderings. A registered relation is any relational, parameterized on a registry, that 
yields a relation over terms. A registry, (#,¥), is any relation pair consisting of a precedence, 
a, and a status map, #, representing information about operators. A registered ordering is 
any registered relation whose every instantiation is a stable simplification ordering. 


It is important to recognize that a registered ordering is a relational, so it is not an ordering: it 
is a class of orderings. We use this terminology to be consistent with the names of existing 
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classes of simplification orderings, such as the recursive path ordering. We will use the 
symbol > both for registered orderings and simplification orderings. The meaning of > will 
be clear from context. 


A precedence, a = (>,;4), is a relation pair, where > and # are binary relations on 
operators. We say that (3,34) is consistent if and only if all of the following are true: 


(1) The relation > is a quasi ordering. 
(2) The relation ;/ is irreflexive and symmetric. 


(3) For any three operators, f, g, and h, where f > g and g Dh, if f 9g org #h, then 
t shh. 

We say that f and g are comparable under (3,34) if and only if they are comparable under >. 
We will use f > g as a shorthand for (f > g and f 3g), and f = g as a shorthand for (f > g and 
g > f). Note that if f > g, one may extend (>,4) with f 3g or g & f to obtainf > g orf = 9g, 
respectively. Also note that > is a partial ordering. We say that (3-4) is total if and only if, 
for all operators f and g in the base set, either f > g,g > f, orf = g. The precedence (>,;¢) is 
total over T if it is total when its base set is restricted to 7. We will usually just use w to denote 
a precedence, rather than (>,;4). 


A status map, ¥, is a binary relation that represents some auxiliary information used by regis- 
tered orderings.. We. say that ¥ is consistent if and only if it is a partial mapping from operators 
to statuses. A status can have the value multiset, denoted @; /eft-to-right, denoted ©; or 
right-to-left, denoted ®. if an operator, f, is not in the domain of a status map, ¥, the “status" 
of f is said to be undefined, written ¥(f) = @. Loosely, ¥(f) = @ means that, for a term, ft, 
whose root is f, the ordering regards the arguments of t as a multiset, and the order of the 
arguments is ignored. When ¥(f) = ©, the leftmost arguments of t are given more weight in 
the ordering. Similarly, ¥(f) = © indicates that the rightmost arguments are more important. 
If ¥(f) = @, f has not yet been assigned a particular status. We say that the status of f has 
been set if and only if ¥(f) # @. The two statuses © and @ are lexicographic in that they 
imply a lexicographic comparison of argument lists. (Left-to-right and right-to-left are not the 
only lexicographic possibilities, but they are the most useful.) Two statuses are incompatible 
if one is @ and the other is lexicographic, and are compatible otherwise. In registered 
orderings, the status of an operator is irrelevant if its arity is less than two. 
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The operators in the base set of a registry, (7,), are implicitly assumed to be restricted to 
those occurring in the (finite) term rewriting system of interest. We say that (7,¥) is total if 
and only if both 7 and ¥ are total. The registry is total over T if and only if both 7 and ¥ are 
total over T. The registry is consistent if and only if both 7 and ¥ are consistent, and for all 
operators f and g such that f= g, ¥(f) and ¥(g) are compatible. Registered orderings are not 
defined for inconsistent registries, so implementations should take precautions to preserve 
the consistency of the registry. Unless stated otherwise, all registries considered here are 
assumed to be consistent. We will denote the contents of particular registries using braces, 
for convenience; e.g., {f > g, ¥(f) = @}. We will usually just use p to denote a registry, 
rather than (7,) or ((>,34),#). 


To construct a terminating rewriting system from a set of equations, &, using a registered 
ordering, >-, one must find a terminating registry: a registry that allows every equation in & to 
be ordered by > in one direction or the other. Thus, for > to be useful in constructing 
terminating rewriting systems automatically, it must be possible to dynamically extend > by 
extending the registry when an equation that is unorderable (under the current registry) is 
found. It is essential that > be monotonic in the registry, so that extending the registry does 
not change the ordering of previously-ordered equations under > [Lescanne 83a]. Another 
important property of > is its extensibility: the degree to which > can be extended by 
extending the registry. 


For unorderable equations, we seek extenders. An extender for s  t under the registry p, 
where ¢ is a registered relation, is an extension of p such that s g t under that registry 
extension. The registry p is itself an extender if we already have s @ t. An extender is minimal 
if and only if no proper subset of that extender is also an extender. A complete extender set, 
S, for s tf under p is a set of registries such that every registry in S is an extender for s @ t 
under p, and every extender for s @ t under p is an extension of at least one registry inS. A 
minimal complete extender set, %X¢.0), is a complete set of extenders that contains no 
non-minimal extenders. We will usually just write S(q) rather than & ip.) when s, ft, and p 
are irrelevant or clear from context. Note that a complete extender set explicitly includes 
every minimal extender. Consequently, every non-minimal extender in a complete extender 
set is an extension of some other (minimal) extender in that same set. Thus, Silp.p) can be 
obtained from a complete extender set for s m t under p, S, by removing all extenders from S 
that are extensions of other extenders in S. We say that & ACH) is the minimal reduction of S. 
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The ability to compute S(>-) is the key to our method for automatically constructing a ter- 
minating rewriting system from a set of equations, by automatically finding a terminating 
registry under >. An automatic ordering is an implementation of a registered ordering, >, 
that can compute %(>) when two terms are unorderable. In Section 3.5, we will show how 
some registered orderings can be implemented as automatic orderings. 


Some interesting questions that one can ask about a registered relational are: 
els every instantiation a simplification ordering? 


e Is every instantiation stable? 

e Is every instantiation well-founded? 
e Is it monotonic in the registry? 

e How extensible is it? 


e Can it be implemented as an automatic ordering? 
We will consider these questions for the registered relationals we will describe. 


3.3 Path and Decomposition Orderings 


This section discusses two important categories of registered orderings, one based on a 
recursive path traversal of terms, and one based on a comparison of term decompositions. 
The recursive path ordering with status (RPOS) is a widely used registered ordering, because 
it is powerful and easy to understand. A newer registered ordering, the recursive decom- 
position ordering with status (RDOS), is more. powerful than RPOS, and can help extend the 
registry when two terms are unorderabie. 


Although both RPOS and RDOS allow the precedence to be incrementally extended during 
the termination proof, neither of these registered orderings permits the status map to be 
incrementally extended. Thus, one must set the status map a priori, rather than allowing it to 
be extended appropriately to order unorderable equations as they are encountered. This is a 
significant shortcoming for automatic termination proofs. In addition, both RPOS and RDOS 
are somewhat inflexible with respect to incremental precedence extensions during the ter- 
mination proof. However, by changing the definitions of RPOS and RDOS slightly, we can 
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correct these deficiencies in extensibility. We refer to the modified, fully extensible versions 
of these orderings as the extensible path ordering with status (EPOS) and the extensible 


decomposition ordering with status (EDOS). 


In the remainder of this section, we present those definitions and properties of the above 
orderings that will be needed in the rest of the chapter. We will fully define the path orderings, 
because the definitions will be used in Section 3.5. We will also discuss the essential features 
of the decomposition orderings, though we will not require the details here. 


3.3.1 Path Orderings 
To define RPOS, we first need two subsidiary relationals on collections of elements, and two 
subsidiary functions. 


Intuitively, a muftiset (or bag), s, on a quasi ordering, >, is an unordered collection of ele- 
ments, where s may contain multiple elements that are equivalent under =. More formally, s 
is a mapping from the base set, S, of >- onto the nonnegative integers, that associates, with 
each member of S, the number of elements to which it is < in the multiset. We use 
{S,, ... S,,} to denote the multiset containing the (possibly wee!) elements 8,, ..., 5, 
Ab(S) denotes the set of all finite multisets on S. 


Definition 7. [Huet 80a] Given a quasi ordering, >-, whose base set is S, and elements s 
and t of A(S), we obtain a relational, >5, on A(S), by s >5 t if and only if (Vx)([t(x) > s(x)] => 
(Sy)(ly > x] A [s(y) > t(y)])). The instantiations of >; are quasi orderings, called the muitiset 


orderings. 


See [Jouannaud 82b] for properties of this ordering, a comparison of this ordering with other 
multiset orderings, and an efficient implementation. 


We will write a sequence as (s,, ..., s_,). £(S) denotes the set of all finite sequences on S. 


Definition 8. Given a quasi ordering, >-, whose base set is S, and elements s = 
(8,18). S,,) and t = (f,,t,,... f,) of £(S), we obtain a relational, >, on L(S), by s 2x tif and 
only ifn = 0,orn >0,m>0,s, > t,, and (s,, .... $,,) 2x (tp, f,). The instantiations of >y 


are quasi orderings, called the /exicographic orderings. 
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The LexSequence function takes a lexicographic status and a term, and re-orders the term’s 


arguments (if necessary) to be appropriate for the given status: 


LexSequence(y, (t,t) = ify = @ then (1, ..., t,) else (t,, ..., f,) endif 


CompareEquivalent, which makes use of LexSequence, is used to compare two terms whose 
roots are = in the precedence. The function takes two pairs, where each pair consists of a 
term and a status assignment, plus a partial ordering for comparing arguments. 
CompareEquivalent compares the two terms, using the ordering, under the assumption that 
the roots of the terms are =, and treating the terms as though the root of each term has the 
status assignment that is paired with that term. (In defining RPOS, the status assignment 
paired with each term will be the same as the status of the root of the term, but this will not be 
the case when we use CompareEquivaient in defining EPOS, below.) 
CompareEquivalent({s = f(s,, ....S,,), 4): (t = (ty, 1 t,)s Yo): >= 


case . 
(y, = @)and (y, = @): {s,,....8,,} 2p {ty t,} 


Y, and Yp are both lexicographic: 
[LexSequence(y,, S) 2x LexSequence(y,, t)] and (Vt)(s > t) 
endcase ; 


in effect, CompareEquivalent compares the arguments of s and ¢ as multisets if the statuses 
are both multiset, and compares them lexicographically, from left-to-right and/or right-to-left, 
if the statuses are both lexicographic. In addition, with lexicographic comparisons, 
CompareEquivalent must ensure that s is greater than each argument of 1, if s is to be greater 
than t. CompareEquivatlent is not defined if the two statuses are incompatible or if either 
status is ©. 


Kamin & Lévy’s RPOS registered ordering [Kamin 80], >®, is an extension of the recursive 
path ordering [Dershowitz 82a]. RPOS is monotonic in the precedence [Lescanne 83b], and 
an instantiation of RPOS is well-founded if and only if > is well-founded. (The partial ordering 
> will always be well-founded if its base set of operators is finite.) The following definition 
makes use of Definitions 7 and 8, and of CompareEquivalent. 


Definition 9. The recursive path ordering with status® (RPOS), >, is a registered relational. 
The partial ordering >=[p] is induced by the quasi ordering ~ Il, where - 

Sk amin & Lévy did not use a formal notion of status map. Our use of status is adapted from Lescanne's REVE 1 
and from [Lescanne 84]. 
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S = (Sys 005 Sq) Ale] ty ty) = t 
is defined inductively as the union of the following three cases: 


(1) (As (s, fp] 1) 
(2) (f > g) and (Vt)(s >2[p] 1) 


(3) (f = g) and CompareEquivalent((s, ¥(/), (t, ¥(g)), >£{p]) 
(Note that f and g might be the same operator.) The ordering is only defined for consistent 
registries. We lift >? to a stable ordering on terms with variables by treating variables as 
constants, where: 1) x = x and ¥(x) = @ (any status would do) for all variables x; and 2) 
(x, y) ¢ & and (x, y) ¢ + for all distinct symbols, x and y, where x and/or y is a variable. 


Theorem 10. Every instantiation of >= is a simplification ordering. 


Proof. See [Kamin 80]. o 


Lemma 11. >= is monotonic in the precedence. 


Proof. Easy extension of the argument in [Lescanne 83b] for the recursive path ordering. O 


One would like to initialize the status of all operators to @, and then incrementally choose 
status assignments for operators while constructing the rewriting system, as needed. 
Unfortunately, ># is not defined for © status. Some implementations of >= (e.g., RRL [Kapur 
84a] and REVE 1 [Lescanne 8a)) initially assign @ status to all operators, and then in- 
crementally change the status of some operators to be. lexicographic to help order un- 
orderable equations. However, this is not a sound termination proof method, because it can 
cause previously-ordered rewrite rules to become unorderabie. 


For example, suppose that the status of both f and g is initially @, and we have previously 
placed f > g in the precedence to order some previous equation. We encounter the equation 

g(f(x, y)) = fly, x) (5) 
and find that the left-hand side is already greater than the right-hand side under >8, with the 
current registry. Hence, we convert the equation into a rewrite rule and add it to the rewriting 
system, %. Later, we decide to change the status of f from @ to ©, to allow some other 
equation to be ordered. Making this change causes Equation 5 to become unorderable. 
Moreover, no further extensions to the registry will order the equation. We now have an 
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in either of these ways, and s and ft will still be ordered. This change preserves 


the monotonicity of the ordering with respect to 7. 


By making the above modifications to +=, we obtain EPOS, denoted >. 


To define EPOS formally, we first define two subsidiary functions, AllStatuses and 
CompareAll. AllStatuses takes a status and returns a set of statuses. CompareAll, which uses 
the CompareEquivalent function declared above, takes two terms and a partial ordering, and 
compares the arguments of those terms (using the ordering) under all possible compatible 
status assignments to the roots of those terms, assuming that the two roots are = in the 


precedence. 
AllStatuses(y) = if y = © then {@, ©, ®} else {y} endif 


CompareAll(s = f(...),t = g(...), >) = 
(V(y 43 Y,)€[AllStatuses(p(f)) X AllStatuses(¥(g))]: Y, and y, are compatible) 
CompareEquivalent((s, y,), (t, Y9)) >) 


Definition 12. The extensible path ordering with status (EPOS), >&, is a registered rela- 
tional. The partial ordering >=[p] is induced by the quasi ordering >=[p], where 


s = f(s,,...5,,) =[o] Qty, 4t,) = t 
is defined inductively as the union of the following three cases: 


(1) (As)(s; =[p] 1) 
(2) (f & g) and (Wt)(s =[p] t) 
(3) ([f = g] or [(f & 9) and (Vt)(s >[p] t)]) and CompareAli(s, t, [p]) 
Variables are handled in the same manner as for >2. 
In the definition of +2, the treatment of © is the conjunction of the treatment given to ®, ©, 


and @, and the treatment of > is the conjunction of the treatment given to > and =. When 
the status map is total and the precedence is committed, >> = >&. 


Let us consider an example that illustrates the extensibility of >=. Suppose we wish to find a 
terminating registry for the equations shown in Figure 3-1, under >=. We start with an empty 
registry (the precedence is empty, the status of all operators is @). 


(1) The first equation in the figure is not orderable with >> under an empty registry. 
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However, the equation is orderable into a rewrite rule from left to right if we set 
¥(f) = ©, or it can be ordered from right to left if we set ¥(f) = @. We arbitrarily 
choose ¥(f) = ©. 


(2) The second equation cannot be ordered from right to left under any extension to 
the current registry (nor under any registry). The equation may be ordered from 
left to right if we extend the registry with either ¥(g) = © orf & g. The first 
choice offers greater flexibility for later extending the precedence, and the 
second offers greater flexibility for later extending the status map. We arbitrarily 
choose the second of these registry extensions. 


(3) The third equation is not orderable from right to left under any registry. However, 
it is orderable from teft to right if we commit the precedence by extending it with 
g > f, so that f = g. We do so, and the equation becomes ordered into a rewrite 
rule from left to right. 


(4) The fourth equation is not orderable from left to right under any registry. 
However, it is orderabie from right to left if we set ¥(g) = @, 80 we extend the 
registry accordingly. 


The final, terminating registry is {f +9, ¥() = ©, ¥(9) = @}. 


Figure 3-1: Exampie to lilustrate the Extensibility of EPOS - 


(1) f(f(x, x), y) = f(x, f(x, y)) 
(2) tgly, x), y) = g(x, y) 
(3) g(fly, x), x) = F(x, y) 


(4) g(g(x, x), y) = gly, ot, y)) 


In the above example, we happened to make the right choices for extending the registry so 
that a terminating registry was produced. In general, one cannot tell that a particular ex- 
tender will not work until it is found to prevent the ordering of some later equation. In the 
example, further experimentation would reveal that no choices for extending the registry, 
other than the ones made above, allow a terminating rewriting system to be constructed using 
s£. See Section 3.6 for a discussion of recovering from bad extender choices. 


In practice, the > relation between operators contributes the most toward ordering terms. 
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The status map is of secondary importance, though it is essential for ordering certain impor- 
tant equations, such as (x + y) + z=x + (y + z), which expresses the associativity of +. 
Although = was needed for the above example, this is rarely the case. An important example 
where its use is required, however, is in the Knuth-Bendix completion of the one-axiom 


characterization of groups [Lescanne 83a]. 


3.3.2 Decomposition Orderings 


Lescanne has recently developed the recursive decomposition ordering with status (RDOS) 
[Lescanne 84], which is an extension of the recursive decomposition ordering [Jouannaud 
82a]. Like RPOS, RDOS is monotonic in the precedence, every instantiation of RDOS is a 
stable simplification ordering, and an instantiation of RPOS is well-founded if and only if > is 
well-founded. RDOS and RPOS yield the same ordering when the precedence is total. RDOS 
is a strict extension of RPOS when the precedence is not total. 


In addition, RDOS is incremental! [Jouannaud 82a] in that an implementation can easily give 
some help to the user for extending the precedence when two terms are not orderable. This 
help consists ofa complete set of all pairs of operators that might make the terms orderable, if 
used to extend >. As described in [Jouannaud 62a], these suggestions are not extenders, 
per se, because they are only single pairs of operators and they only address the > relation in 
the registry. Nevertheless, the suggestions produced by RDOS are helpful and important, 
because (as noted in the previous section) the > relation is usually the most significant 
information in the registry, and the set of suggestions produced is usually small. The decom- 
position orderings are the first ones to provide an easy way to help the user extend the 


registry. 


RDOS has the same two extensibility limitations as RPOS: 1) RDOS requires that the status 
map be total before the termination proof begins, and 2) RDOS cannot take advantage of the 
partial information in uncommitted precedences. Again, these problems are easily fixed. 
RDOS can be straightforwardly extended to allow @ status for operators, and to handle f > g, 
in a manner very similar to the way we changed RPOS into EPOS above. We cail this 
modification to RDOS the extensible decomposition ordering with status (EDOS), >. 


We do not give the details of RDOS (or EDOS) here. We have mentioned the decomposition 
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orderings because they are more powerful than the path orderings, and their ability to provide 
suggestions is the inspiration for the automatic orderings described here. In the next section, 
we introduce a new ordering that is more powerful than both >2 and >=. 


3.4 Closure Ordering with Status 


Plaisted has suggested the closure ordering with status® (COS), a registered ordering that is 
more powertul than both EPOS and EDOS. in this section, we describe COS, and show that 
every instantiation of COS is a stable simplification ordering, COS is monotonic in the registry, 
and an instantiation of COS is well-founded if and only if > is well-founded. 


The definition of COS makes use of two subsidiary registered orderings, >; and >, that are 
relationals on other registered orderings. For a given registry p = (s,y), let PX) denote the 
set of all total extensions of w over ali operators that appear in s and/or ¢t. (Note that all 
precedences in Pi(sr) are committed with respect to these operators.) Let $y) denote the set 
of all total extensions of ¥ over those same operators, and let Atle) denote the set of all total 
extensions of p over those operators. 


Definition 13. Let > be a registered ordering. We define the registered ordering, >;, such 
that s >, t if and only if (V pEA Kp)Ms >~I[p] 1). 


Theorem 14. If every instantiation of > is a simplification ordering, the same is true for >,. 


Proof. We must show that every instantiation of >, is a partial ordering, is compatible, and 
has the subterm property, for any > whose every instantiation also has these properties. 
Compatibility: (By contradiction.) Suppose that every instantiation of > is compatible, but 
that this is not true for >;. Then for some registry, p, and some terms, s, ¢, f(...s...), and 
i(....t...), we have s >, t and f(...s...) 7% f(...t...)._ By Definition 13, wa have s > ¢ and f(...s...) * 
f(...t...) for some registry extension in Aile), which contradicts the supposition. 

Subterm: (By contradiction.) Suppose that every instantiation of > has the subterm 
property, but that this is not true for >. Then for some registry, p, and some terms, t and 


as suggested by Plaisted, the closure ordering does not use status, but it is easy to extend his idea in this 


manner. 
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f(...t...), we have f(...t...) 9 t. By Definition 13, we have f(...t...) > ¢ for some registry extension 
in AX), which contradicts the supposition. 
The proofs of transitivity and irreflexivity are similar. . oO 


Lemma 15. If every instantiation of > is stable, the same is true for > 


Proof. (By contradiction.) Suppose that every instantiation of > is stable, but that this is not 
true for >4. Then for some registry, p, some terms, s and t, and some substitution, o, we have 
S >a t and o(s) 7% o(t). By Definition 13, we have s > t and o(s) » a(t) for some registry 
extension in Ave), which contradicts the stability of >. 0 


Lemma 16. >, is monotonic in the registry. 


Proof. (By contradiction.) We must show that >, is monotonic in both # and ¥. Suppose >, 
is not monotonic in w. Then for some precedences #, and #,, where #, is an extension of #,, 
and for some ¥, 5 >, ft under (wy: ¥), but s 94 t under (#,, ¥). By Definition 13, it must 
therefore be the case that s > t under # and all precedences In Piz): but not under ¥ and 
all precedences in ®{(w,). But this is a contradiction, since P{w,) 2 M{x,). The proof for 
y-monotonicity is similar. | o 


Lemma 17. Assume > is monotonic in the registry. If an instantiation of > is well-founded 
whenever > is well-founded, the same is true for >y. If >, is well-founded under some 
registry, p, > is also well-founded under p. 


Proof. (By contradiction.) Suppose that an instantiation of > is well-founded whenever > is 
well-founded, but that this is not true for >y. Then there exists an infinite decreasing se- 
quence t, > f, > t, >... for some precedence w for which > is well-founded, and for some 
¥. By Definition 13, we have t, > t, > t, >... under all registries in A%(p). Since > is 
well-founded, there is (by Zorn’s Lemma) some total extension, #, = (> ,,3,), of w, such that 
>, is well-founded, and (by supposition) > is well-founded under (w,, ¥). Since > is 
monotonic in ¥, > is well-founded under all registries in {a} X{(¥). But this is a contradic- 
tion, since {a ,}XS%¥) is non-empty and A%p) D {#,}X Sy), and > is not well-founded 
under any registries in A (p). 

Suppose >, is well-founded under some registry, p, and > is not. Then there exists an infinite 
decreasing sequence t, > t, > f, >... under all registries in A ‘{p), since > is monotonic in 
p. By Definition 13, we have t, >y t, >y t, >g... under p, which contradicts the supposition. O 
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Corollary. If an instantiation of > is well-founded if and only if > is well-founded, and > is 
monotonic in the registry, then an instantiation of >, is well-founded if and only if > is 
well-founded. 


Definition 18. Given a registered ordering, >, we obtain its closure, >, where s >_ t is 
defined as the union of the following two cases: 


(js >t 
(2) $ >yt 
Lemma 19. If > is monotonic in the registry, > = >. 


Proof. Assume > is monotonic in the registry. By Definitions 13 and 18, s >, t implies s >» ¢, 
and (2) (above) implies s >; t. We must also show that (1) (above) implies s >, t. Suppose (1). 
Since > is monotonic in the registry, we have s > t under all registries in Ap). By Definition 
13, s >y t. . Oo 


Note that the closure, ><, of a registered ordering, >, is usually more efficient to compute 
than >, because, by the definition of >z, s >y t need not be computed if we already have 
s > t. The closure operation unifies >& and >2, in that the closure of >= is the same 
registered ordering as the closure of >2. |.e., 


Lemma 20. >& = >£ 


Proof. When the registry is total, >> = >2 (see Section 3.3.2). Thus, by Definition 13, 
> = >§. Since both > and >» are monotonic in the registry, we have > = >Z, by Lemma 19. 
Oo 


For concreteness, we use >& instead of >2, and obtain Plaisted’s registered ordering’?, 


Definition 21. The closure ordering with status (COS), >, is the closure, >, of >©. 


10 biaisted’s definition of the closure ordering is more general than the one we give here. His definition treats 
variables as operators in the total precedences under which EPOS is computed. This results in a more powerful 
closure ordering. The proof of stability for this improved closure ordering is more complicated than for our definition, 
because it does not follow directly from the stability of >=. Such a proof would be a digression here, so we have 
presented the simpler definition. This improvement to the closure ordering is largely independent of the automatic 
termination issues discussed in this chapter. 
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We will write >* in place of >£ in the remainder of this thesis. The monotonicity of > implies 
that >* = >§, by Lemma 19. Consequently, Theorem 14, Lemmas 15 and 16, and the 
corollary to Lemma 17 apply to >* as well as >. Thus, since every instantiation of > is a 
stable simplification ordering, >= is monotonic in the registry, and an instantiation of >= is 
well-founded if and only if > is well-founded (see Section 3.3.1), these properties also hold for 
>*. The next theorem states the main reason for our interest in >*. . 


Theorem 22. >is astrict extension of 22. 


Corollary. > is a strict extension of >. 


Proof. Assume s > t under p. Then we have s > t under all registries in 4 %(p), because >2 
is monotonic in the registry. Since >2 = >= when the precedence is total, we have s >= t 
under all registries in Axo). By the monotonicity of >=, Lemma 19, and Definitions 13 and 21, 
we have s >“ t under p. Thus, »* is an extension of >. 


To see that the extension is strict, consider the two terms, 
$= f(f(a, a), f(b, b)) 
t = f(b, a) 


Assume that the registry is empty. We have s >* t, but s and ¢ are not orderable under ¥2. 
Since > is a strict extension of >, the corollary follows immediately. a) 


To order the above two terms under >? and >£, one can extend the registry in any of several 
ways, including ¥(f) = @, or a > b, or b D a, or any registry extension in Ato), each of which 
causes s to be greater than tf. 


As an aside, the above example does not demonstrate the added power of >* over the recur- 
sive path ordering (RPO) [Dershowitz 82a]. RPO is the same as RPOS, except that the status 
of all operators is @. Above, when ¥(f) = @, we have s >” t, as well as s >* t. Lescanne has 


suggested another example: 
S = f(f(f(a, a), a), f(b, b)) 
t = f(f(a, b), f(a, b)) 


Here, s and t are not orderable under >2 when the precedence is empty and all operators have 
@ status. However, we do have s >* t in this case. 


On the face of it, >* looks to be a mixed blessing. On the one hand, the >* registered ordering 
is more powerful than +2. On the other hand, a >* implementation based directly on the 


52 


Chapter 3 Automatic Construction of Terminating Rewriting Systems 


definition would run very slowly in the worst case. For two terms, s and t, under an empty 
registry, where (s, t) ¢ >, s >* t, and s and t include 5 different operators (not atypical), it 
appears that there are 5! X 5° = 15,000 total registries under which > must be computed in 
an attempt to order the equation under >*. However, the next section presents a method of 


computing >* that may be more efficient. 


3.5 Computing Minimal Extenders 


As discussed in Section 3.2.3, it is highly desirable to compute the minimal complete extender 
set, S(>), whenever two terms, s and ¢, are found to be unorderable under >. This section 
describes methods for computing %(>°), %(>2), and %(>*), allowing >, >2, and > to be 
implemented as automatic orderings for automatic termination proofs. We show that %(>¥), 
and even >* itself, can be computed using either S(>=) or G(>2). The %(>£) scheme has been 
implemented in REVE, and Lescanne is currently developing a %(>2) implementation. Some 
further study is required before implementing a %(>*) scheme. 


The computing of minimal extenders has been largely ignored in the past. The precedence 
and status map are typically chosen a priori, and then appropriately adjusted in a trial-and- 
error fashion. There are three major reasons for this: 


(1) Until recently, even manually-produced termination proofs have been difficult to 
obtain. Only in the last several years have classes of simplification orderings, 
such as RPOS and RDOS, emerged that are sufficiently general to be applicable 
to a wide variety of rewriting systems found in practice. 


(2) Prior to the emergence of Lescanne’s REVE 1, the idea of extending the registry 
on an as-needed basis, as unorderable equations are encountered, had not ap- 
peared in any available system. 


(8) Minimal extenders seem computationally intractable. Any algorithm for comput- 
ing S(>) probably requires time that is exponential in the number of operators in 
the terms s and t. 


A goal of this chapter is to pragmatically address the last concern above. The methods for 
computing minimal extenders that we present here have probabie worst-case exponential 
behavior. However, for typical examples, we have found that the %(>£) algorithm usually 
requires no more than several seconds per equation, and we conjecture that the running time 
of the %(>2) and %(>*) algorithms will be similar. Moreover, when constructing a terminating 
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rewriting system from a typical set of equations, many of the equations will already be or- 
derable under the current registry, and it is only necessary to compute S(>) when an equa- 
tion is not orderable. 


In the remainder of this section, we describe the %(>-) computation in detail, briefly indicate 
the differences between computing %(>2) and %(>°), and give an overview of a technique for 
computing %(>*). Throughout, we assume that the two terms being compared are 
s = f(s,,..,5,,) andt = g(t,, ..., f,), and that all variables are to be regarded as constants, as 
indicated above in the definitions of >= and >. 


3.5.1 Minimal Extenders for EPOS and EDOS 


This section presents the terminology, concepts, and algorithms related to the computing of 
S(>£) and &(>2). We will present the details of our algorithm for computing %(>£). The 
method for computing %(>2) is similar, so we will only indicate how the %(>2) generation 
scheme differs from the one for %(>). For concreteness, all terminology will be introduced in 
the context of >. . 


The %(>=) algorithm makes use of comparators and orderals. We will. see that the problem of 
computing the minimal extenders for s >= t reduces to the problem of computing extenders for 
the orderals of s >= t under each incremental extension. This, in turn, reduces to the problem 
of computing combined extenders for the orderals, which then reduces to the problem of 
computing the minimal extenders for the comparators that compose the orderals. 


A relator, g, is one of three registered relations used in defining and computing ©. The value 
of @ may be either >&, >=, or 28. 


A comparator, denoted (s,t,@), associates a particular pair of terms (here, s and ¢) with a 
relator (p) under which they should be compared. A registry is a (minimal) extender for a 
comparator, (s,t,q), if and only if it is a (minimal) extender for s gp t. The notions of complete 
extender set, minimal complete extender set, and minimal reduction (see Section 3.2.3) carry 


over straightforwardly to comparator extenders. 


An orderal, D, for a comparator, (s,t,), under p is a set of comparators such that: 
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(1) For every comparator (s’,t',p’) in D, s' € {s, s,, .... 8}, t' € {t, tyres ty}, and it is 
not the case that both s’ = sand?’ = ft. 


(2) If p is an extender for every comparator in D, it is an extender for (s,t.p). 


(3) No subset of D is an orderal. 
Intuitively, the comparators in an orderal represent subterms that can be compared to estab- 
lish s p t. The orderals for (s,t,p) are not defined if both s and t are constants. An extender 
for an orderal, D, is an extension of the current registry that is an extender for every com- 
parator in D. An extender for D is minimal if no proper subset of that extender is also an 
extender for D. The notion of complete extender set carries over straightforwardly to orderal 
extenders. A combined extender for an orderal D is a union of extenders that consists of 
exactly one minimal extender from each comparator in D, provided that union results in a 


consistent registry. 


We will use ACH) to denote the complete set of orderals for (s,t,p) under p. The orderals in 
3 ~,p) are derived directly from the definitions of >£, >=, or <&, depending on @. Consider 
the comparator (s,t,=). If f > g, there is only one orderal: {(s,t,,>), .... (s.t,.>=)}. If (f, 9) ¢ 
>, there are m orderals for (s,t,>“): {(s, t=}, sek {(s,st:2=)}- There are typically many 
orderals when f = g, and so on. A complete extender set for ERC) is any set of registries 
that is a complete extender set for every orderal in (pp). 


An incremental extension of p = ((>,;4),) for s and t is any extension to p that differs from p 
only in that it may contain additional information about f and g. For example, if f and g are not 
comparable under (3,34), and both have @ status, then p, p U {g > f}, and p U {f > g, 
¥(f) = @} are incremental extensions. The incremental extension set, denoted SXe), of p for 


s and t is the set of all such incremental extensions. 


Note that every minima! extender for an orderal, D, must also be a combined extender for D, 
and every combined extender for D is an extender for D. Thus, the set of all combined 
extenders for an orderal is a complete extender set for that orderal. Therefore, by the defini- 
tion of EC) complete extender sets, the set of all combined extenders for all orderals in 
y AC) is a complete extender set for 9 i,p)- 


To compute the minimal complete extender set for some comparator (s,t,p) under p, one 
must Compute complete extender sets under p, and also under each possible extension to p 
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that extends the information about f and g. Thus, we must individually use each incremental 
extension in J fle) (which includes p itself) as a starting point for computing extenders. When 
both s and t are constants, a complete extender set for (s,t,¢) is the set of all registries in J Xp) 
under which s » t. When either s or t is not a constant, a complete extender set for (s,t,¢) is, 
by the definitions of 3 ip,p) and Sie), the union of complete extender sets for all sets 
g p.P,) corresponding to each p, in 3 to). Thus, using the remark in the paragraph above, a 
complete extender set for (s,t,p) is the set of all combined extenders for all orderals in all sets 
CT) corresponding to each p, in 5Xe). The minimal reduction of this set yields the 
minimal complete extender set for (s,t,@). 


. Finally, S(>£), the minimal complete extender set for s >© t under p, is the minimal complete 
extender set for the comparator (s,t,>©) under p, computed in the manner indicated above. 


The function ComparatorExtenders, shown in Figure 3-2, computes and returns the minimal 
complete extender set for a given comparator under a given registry. The function 
OrderalExtenders, shown in Figure 3-3, computes and returns the set of all combined ex- 
tenders for all orderals in a given set under a given registry. The two functions are mutually 
recursive. 


ComparatorExtenders first accumulates, in S’, a complete extender set for (s,t,p) by collect- 
ing combined extenders, in the manner indicated above. The minimal reduction of S' is then 
accumulated in S to obtain the minimal complete extender set. 


OrderalExtenders uses S to accumulate all combined extenders for all orderals, D, in S'. C . 
holds the combined extenders for all comparators preceding (s,t,p) in D. C’ is used to in- 
crementally accumulate the next value of C, as each minimal extender for (s,t,) is con- 
sidered. OrderaiExtenders assumes the existence of a subsidiary function, IsConsistent, that 
returns true if and only if its argument is a consistent registry. 


Figure 3-4 presents the minimal complete extender set for an example comparator, as com- 
puted by the ComparatorExtenders function in Figure 3-2. The example is derived from one 
of the equations in Figure 3-1 on Page 47. Here, we assume that the current registry is empty. 
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Figure 3-2: Function to Compute the Minimal Extenders for a Comparator 


function ComparatorExtenders ((s,t,p), p) returns (S) 


Compute complete extender set: 
S':= {} 
if (s is a constant) and (tf is a constant) then 
for each p, in Xp) do 
ifs pt then S’:= S'U {p,} endif 
endfor 
else for each p, in 3 \p) do 
S':= S' U OrderalExtenders(S p04) p,) 
endfor 
endif 


Compute minimal reduction of complete extender set: 
S:= {} 
for each p, in S' do 
for each p, in S‘ do 
if p, is a strict extension of p, then p,:= p, endif 
endfor 
S:=SU {p,} 
endfor 
return(S) 
end ComparatorExtenders 
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Figure 3-3: Function to Compute All Combined Extenders for All Orderals in a Set 


function OrderalExtenders (S’, p) returns (S) 
Si= DB 


. for each D in S' do 


’ Compute complete extender set for D: 


C:= {} 
for each (s,t,p) in D do 
C':= {} 


incrementally compute derived extenders: 
for each p, in ComparatorExtenders((s,t,p), p) do 
for each p, in C do 


Pz: = Pp, U Po 
if isConsistent(p,) then C’:= C’U {p,} endif 
endfor 
endfor 
C:=C' 
endfor 
S:=SUC 
endfor 
return(S) 


end OrderalExtenders 
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Figure 3-4: Minimal Extenders for (Aaly, x). y), oG, ¥), *) Under Empty Registry 


(1) {¥(g) = @) 
- @tt>o) 
(3) {f& 9, 4 = ©, Hig) = ©} 
{FE 9, Wi) = ©, 449) = @} 
OE o.4 = 0, ¥@) = @} 


Leecanne has noted that computing. %(>F) ts:roughly-slailiar to: computing SOF). When — 
comparing two terme, >2 first bulide the decompositions of Hate iame,end compares these 
decompositions inetend of comparing the terms directly. <A: droempoation is a multieat of 
path decompositions, a pail donouspociton nn: nines emniepiints meaetnontites, and 
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3.5.2 Minimal Extenders for COS 


This section presents the outline of a scheme to automatically generate the minimal complete 
extender sets under >*. This same technique can also be used to compute >* itself. The 
scheme assumes the ability to compute minimal complete extender sets under >= or >2, 
presented in the last section. 


We do not propose that an implementation of %(>*) literally use the technique presented here. 
Our purpose is to demonstrate that %(>*) can be computed using implementations of %(>£) or 
%(>2), and that >* need not be implemented by computing >& under potentially thousands of 
registries. Further work is needed to discover an appropriate, practical implementation that 
might make use of the ideas presented in this section. 


The minimal extenders for >* are closely related to the minimal extenders for >= and >2. By 
the definition of >*, the set of all total extensions to the registries in S(>*) is the set of all total 
registries under which s >® t. The same is true for %(>2). The difference between %(>*) and 
%(>£) is that the extensions in %(>°) are not necessarily minimal for >*. Thus, we propose 
that S(>*) be obtained by properly reducing the registries in S(>°). Since >= and > are the 
same ordering under total registries, the same relationship holds between %(>*) and %(>2) as 
between %(>*) and %(>°). For concreteness, we will use %&(>£) here, though %(>2) could be 
used in exactly the same manner. 


Our approach to computing %(>*) involves viewing registries as formulas in propositional 
calculus. Every registry can be viewed as a set of items, where an item is a stated > or 
relationship between two operators, or a status assignment to some operator. For example, 
f > g,f #9, and $(f) = © are three items. (All > shorthands are represented by their 
two-item > and 3 equivalents, and = is represented by two > items.) For any registry, p, we 
define its propositional formula, denoted Prop(p), to be the Boolean conjunction of all items 
comprising p. Thus, if p is: 

(Pog fRh yh = O} 
Prop(p) is: 

tog AgPhAfPhnaAyi(f) = 8 
Note that for two registries, p, and p,, p, is an extension of p, if and only if Prop(p,) => 
Prop(p,). 
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An extender set can be viewed as a formula in disjunctive normal form, by taking the disjunc- 
tion of the formulas associated with each of the extenders in the set. For example, the 
extender set in Figure 3-4 can be viewed as the formula shown in Figure 3-5. We use Prop(S) 
to denote the formula associated with the extender set S. Note that p, is an extender for s > t 


under p if and only if Prop(p,) => Prop(%& (>.p))- 


Figure 3-5: Formula Formed from the Extenders in Figure 3-4 


(ig) = @) V 

[(f> 9g) AG #9) V 

[(f > 9) ACH) = ©) A (¥g) = OV 
[(f & g) A (o(f) = ®) A (bg) = ®)] V 
[(f > 9) ACH) = ©) A (¥Q) = ®)] 


A formula in disjunctive normal form that is composed of items, where none of the items is 
negated, can be straightforwardly viewed as a set of registries, provided each disjunct forms a 
consistent registry. We use Reg({y) to denote the set of registries obtained from such a 
formula, 7. By taking these two different views of an extender set, one can manipulate the 
extenders in the well-understood domain of propositional calculus, but interpret the formulas 
in the domain of registry extensions. We propose a method for computing >* extenders that 
is based on propositional calculus manipulation of > extenders. 


Let S be the set of operators appearing in the rewriting system of interest, and T be the set of 
operators appearing in s and/or ¢. Note that for any S, there exists a formula, Consis(S), such 
that a registry, p, over S is consistent if and only if Prop(p) A Consis(S) is true. (The formula 
Consis(S) is easily constructed from S using the definition of consistent registry.) Also note 
that AN) is the complete set of all registries that are total over T. For any Po AND, Po is 
a total extension, over T, of a registry p,, over S, if and only if p, U p, is a consistent registry; 
or, in terms of formulas, if and only if Prop(p,) A Prop(p,) A Consis(S) is true. 


By the definition of >, p, is an extender for s >*[p] if and only if all total extensions of p, 
over T are extenders for s >[p]?. Translating to formulas, p, is an extender for s >*[p] t if and 


only if 
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(Vp, € AA{})) [(Prop(p,) A Prop(p,) A Consis(S)) => Prop(% >.) 


The above formula may be syntactically transformed into 
Prop(p,) => [Prop(S X>~,p)) V 7Prop(A X{})) V 7Consia(s)] 

_Therefore, P, is an extender for s >* 1 if and only if the above implication holds. Let 7 denote a 
disjunctive normal form of Prop( > ,p)) V 7Prop(4 ji{})) V 7Consis(S), where each dis- 
junct contains as few items (or negated items) as possible under the simplification rules of 
propositional calculus. Since Prop(p,) is a conjunction of items, Prop(p,) => 7 if and only if 
Prop(p,) implies one of the disjuncts in yn. By its construction, Prop(p,) contains no negated 
items, so ail disjuncts in » that contain any negated items may be removed from 7 without 
affecting the Boolean implication. Let Reduce(s,t,S,p) denote this reduced form of ». 


We now have that p, is an extender for s >* t if and only if 

Prop(p,) => Reduce(s,t,S,p) 
interpreting this in the domain of extenders, Reg(Reduce(s,t,S,p)) is a complete extender set 
for s >* t under p. The extenders in Reg(Reduce(s,t,S,p)) are already minimal, because the 
disjuncts in Reduce(s,t,S,p) contain as few items as possible, so. Reg(Reduce(s,t,S,p)) is 
S(>*). 


In short, we may compute %(>*) by first computing %(>5), and then manipulating %(>£) using 
propositional calculus. Furthermore, we have s >*[p] t if and only if the computed value of 
%(>*) is {p}. This gives us an alternative method for computing the >* registered ordering 
itself, without having to compare s and t with >= under many registries. 


As an example of computing > extenders, consider the terms s = f(f(a, a), f(b, b)) andt = 
g(b, a). The extenders comprising & (>=,), assuming that p is empty, are shown in Figure 
3-6. Note that f > g is a minimal extender for s >= t, as indicated in the figure, but f > g is not 
an extender for s > t. However, the formula Reduce(s,t,S,p) for this example is the single 
item f > g. Thus, this yields the only minimal extender for s >* t: S(>#) = {f > g}. 
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Figure 3-6: Minimal Extenders for f(f(a, a), f(b, b)) >= g(b, a) Under Empty Registry 


(1) {f> 9} 

(2) {f& 9, H(A) = @, Hg) = @} 

(3) {f& 9, ¥(f) = O, ¥(g) = @} 

(4) {f& 9, ¥(f) = ©, Hg) = O} 

(5) {FB 9, FB b, Hf) = O, Hg) = O} 

(6) {f> 9,a bb, ¥() = O, (9) = O} 

{fg bd a, vif) = O, ¥(g) = O} 

(8) {FE o,f a, ¥(f) = ©, Hg) = @} 
— DFE gab db, YA) = O, ¥(9) = O} 
(10) {f > g,b & a. ¥() = @, ¥(9) = @} 


3.6 Automatically Constructing Rewriting Systems 


With an automatic ordering, >, a terminating rewriting system can be automatically con- 
structed from a set of equations, &, as follows: Start with an empty registry. Consider each 
equation, s =?, in &. If there are any minimal extenders for s = in either direction, choose one 
of them to be the current registry, and go on to the next equation. Otherwise, back up to the 
last equation, choose one of its minimal extenders that has not yet been tried, and continue. 
When s =t is considered again, the registry might be such that it has some minimal extenders. 
Systematically pursued, this automatic technique is a depth-first search for a terminating 
registry for © under >. If all minimal extenders are tried at each backtrack point, and the 
depth-first search fails to find such a registry, there is no. terminating registry. in this case, 
either the equations in & cannot be ordered into a terminating rewriting system, %, or > is not 
powerful enough to demonstrate the termination of %. 


Chapter 3 Automatic Construction of Terminating Rewriting Systems 


Figure 3-7 presents a procedure, AutomaticConstruction, that formalizes the above idea. This 
procedure has been implemented in REVE. AutomaticConstruction takes &, and returns a 
terminating registry for & and the automatic ordering >, together with the terminating rewrit- 
ing system corresponding to that registry. If there exists no terminating registry for & under 
>, AutomaticConstruction halts with "failure." The procedure makes use of the stack primi- 
tives New, Push, Pop, Top, and IsEmpty, which have their conventional meanings. The AnyOf 
function returns any element of its set argument, and EmptyRegistry returns an empty 
registry. As each equation is considered, it is removed from &. When an equation is success- 
fully ordered, a tuple consisting of the following items is. pushed onto the stack: 


e The equation, in the direction it is being considered. 
e A Boolean value that indicates whether the equation has been tried in the reverse 
direction. 
@ The minimal extenders, for this direction of the equation, that have not yet been 
tried. , 
e The rest of &. 
Whenever there are no extenders, in either direction, for some equation, the stack is popped 
until an equation is found for which there are minimal extenders that have not yet been tried, 
and the current contents of & are reset accordingly. If all equations are successfully pushed 
onto the stack, the current registry is returned, along with a rewriting system consisting of all 
the equations in the direction that they appear on the stack. Note that 6 >p) consists only 
of p if s > t under p. Also, if s—+t is not a valid rewrite rule, we have s > t (because >[p] is a 
simplification ordering), so % >.) = {} in this case. 
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Figure 3-7: Procedure To Automatically Construct a Terminating Rewriting System 


procedure AutomaticConstruction (6) returns (p, %) 
stack := New 
p:= EmptyRegistry 
while & # {} do 
_s=t:= AnyO#(&);8:= &-{s=t} 
reversed := false 
X:= Si>,p) 
while X = {} do 
if “reversed then 
S,t:= t,s 
reversed := true 
X:= BSl>p) 
else if lsEmpty(stack) then halt with failure endif 
(s =t, reversed, X,&):= Top(stack) 
Stack := Pop(stack) 
endif 
endwhile 
p:= AnyO#(X); X:= X-{p} 
_ Stack := Push(stack, (s =t, reversed, X, 8)) 
endwhile — 
%:= {} 
while —lsEmpty(stack) do 
(s = t, reversed, X, &):= Top(stack) 
Stack := Pop(stack) 
%:= KU {s—-1} 
endwhile 
return(p, %) 
end AutomaticConstruction 
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Figure 3-8: Example to Hlustrate the 


_ (1) AA, x”), y) = f(x, fx, y)) 
(2) fioly, x), y) a g(x, y) 
(3) of, x), x) = f(x,y) 


(4) gigtx, x), y) = oly, ot, y) 


is the same set 9s in Figues 3-1 on Page. 47, Wo al wn Fn esac ding, and 
Consider the equasions i the ender chown inthe Agus 


(7) AutomatioConstruction now reconsiders the: thie! equation. it le net orderable 
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under the current registry, but %S(>©) consists of a single minimal extender (and it 
is different from Step (3), above): {¥(f) = ©, f = g}. We choose this as the 
current registry, and push a tuple containing an empty extender set onto the 
stack. 


(8) The fourth equation is not orderable under the current registry, but this time the 
minimal complete extender set in the reverse direction is {¥(f) = ©, f = g, 
¥(g) = @}. We use this as the current registry, and push.a tuple on the stack 
containing the reversed equation. 


(9) There are no further equations to consider, so we pop the equations from the 
stack, build them into a rewriting system, and return the current registry together 
with that rewriting system. 


The registry {¥(f) = @} orders the first equation in Figure 3-8 in the reverse direction. If this 
equation were reversed in the figure, AutomaticConstruction would try several registry exten- 
sions before finally backing up to the first equation, reversing it, and continuing. 


As_an aside, it is not strictly necessary to use only minimal extenders when proving termina- 
tion automatically with registered orderings. Allowing non-minimal extenders can sometimes 
lead to a gain in efficiency. For example, consider the minimal extenders in Figure 3-4 on 
Page 59, The second minimal extender in the figure states that all registries that contain f > g 
are extenders for s >& t. If AutomaticConstruction cannot finish successfully using extensions 
of this extender, it makes no sense to try the third, fourth, and fifth minimal extenders in 
conjunction with f 34g. Thus, one may replace all occurrences of f > g in the figure with 
f = g, without danger of AutomaticConstruction missing a potential extender. Making this 
replacement may allow the rewriting system construction process to proceed faster, since 
then the extensions of the second extender will be disjoint from the extensions of the last 
three extenders, avoiding some potential redundancy when searching for an extender for the 
rewriting system. Once %(>) has been computed, one may perform a postprocessing on 
%(>) to remove such redundancies before considering the extender set in 
AutomaticConstruction, if desired. 


Instead of arbitrarily choosing a minimal extender from %&(>), an implementation of 
AutomaticConstruction might display the extenders in %(>-) and permit the user to select 
one. Rather than presenting the entirety of each extender to the user, it may be desirable to 
present the transitive reduction of each extender, for brevity. A transitive reduction [Aho 72] 
of a directed graph, G,, is a smallest graph, G,, such that the transitive closures of G, and G, 
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are the same. The relation > in a precedence can be regarded as a directed graph, where 
operators are nodes, and > defines the edges on those nodes. We define the transitive 
reduction of a registry, ((>,4),¥), to be the transitive reduction of >, together with and y, 
which remain unchanged. The transitive reduction of p conveys the same information as p. It 
may also be desirable to subtract away the current registry before presenting the transitive 
reduction of each extender, so that only the new information introduced by the extender is 


displayed. 


One might think that AutomaticConstruction’s exhaustive backtracking scheme for construct- 
ing a terminating rewriting system would be too slow to be practical. However, we have found 
that for typical examples where termination can be proven using >, backtracking is usually 
not required. Even though there may be many extenders to choose from when an equation is 
unorderable, successive extender choices have a cumulative effect such that the terminating 
registry obtained tends to be relatively insensitive to. the particular extender choices made 


along the way. 


3.7 Summary 


In this chapter, we have presented the basic definitions of relations and orderings, and intro- 
duced relationals as parameterized relations. We then presented simplification orderings, 
and the termination theorem that justifies the use of simplification orderings in termination 
proofs. The notion of a registered ordering was defined: a relational, parametized on a 
registry, that yields a stable simplification ordering. We then introduced automatic orderings, 
which are registered orderings whose implementation can compute the minima/ complete 


extender set when two terms are unorderable. 


We described RPOS, which can be viewed as a registered ordering, and extended it into 
EPOS, which is more suitable for the automatic construction of terminating rewriting systems. 
This was followed by a brief discussion of RDOS, the important role that RDOS has played in 
establishing the utility and viability of helping the user dynamically extend the registry when 
two terms are unorderable, and the fact that RDOS can be extended slightly to produce 
EDOS. We then presented COS, which is more powerful than EPOS and EDOS, and proved 
the correctness of COS in the context of termination proofs. 
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This was followed by algorithms that allow EPOS, EDOS, and COS to be used as automatic 
orderings. A minimal complete extender set scheme for EPOS was described in detail, and 
we roughly indicated how the scheme could be modified for EDOS. We showed how, in 
principle, the minimal extenders under COS, and the COS registered ordering itself, could be 
computed using minimal extender schemes for either EPOS or EDOS. 


Finally, we presented a procedure that automatically constructs a terminating rewriting sys- 
tem from a set of equations. The procedure makes use of an automatic ordering, and 
automatic implementations of EPOS, EDOS, or COS could be used for this purpose. 


Chapter Four 


A Failure-Resistant Knuth-Bendix Design 


4.1 Introduction 


In its original formulation (Section 2.6), the Knuth-Bendix completion procedure is used to 
transform a term rewriting system, %, into another rewriting system, %’, such that %’ is con- 
vergent and = SR, equals = g'. As discussed in Section 2.5, %’ provides a decision procedure 
for =o. However, Knuth-Bendix is not an algorithm: it may halt with "failure" if the two sides 
of a rule are not orderabie, or fail to terminate because it may generate an infinite set of rules. 


The original version of Knuth-Bendix, as presented in Figures 2-6 and 2-7 on Pages 28 and 
29, was chosen by its authors for its simplicity of exposition and for ease of proving its 
correctness, rather than for its efficiency. It differs slightly from later formulations by others in 
that it begins with a set of previously-ordered rewrite rules to be completed, rather than 
starting with a set of equations and using the reduction ordering to orient each of those 
equations into a rewrite rule. Three important problems of the original procedure are: 


(1) It is inefficient, 
(2) It fais whenever an unorderable equation is generated, and 


(3) The reduction ordering must be given a priori. 


This chapter presents a new, failure-resistant formulation of Knuth-Bendix that addresses 
these issues. As a partial solution to (1), above, it incorporates improved schemes for 
generating critical pairs and normalizing the rewriting system. For (2), it uses a fine-grained 
approach to postponing equations that are currently unorderable. For (3), it makes use of an 
important idea that first appeared in Lescanne’s REVE 1: it allows the ordering to be in- 
crementally extended as unorderable equations are encountered... The net result is a poten- 
tially faster completion procedure that halts with "failure" in fewer cases. The procedure is 
formulated as a sequence of tasks, that are performed in an order commensurate with their 
expected contribution to the successful and expeditious completion of the procedure. 
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Existing "incremental" implementations of orderings provide various degrees of help to the 
user when an unorderable equation is encountered. At one end of the user-assistance 
spectrum, automatic orderings compute all the possible ways that the registry can be ex- 
tended to allow the equation to be ordered. At the other end, if no ordering implementation at 
all is used, the user must hand-order each equation with no assistance from the program. In 
between are registered orderings, such as EDOS, where current implementations provide 
suggestions that help the user find an appropriate registry extension'?. We assume here that 
ordering "extensions" do not change the ordering of previously-ordered rules in the rewriting 
system. (This is true of all registered orderings described in Chapter 3, because they are 
monotonic in the registry.) 


lf partial help or no help is provided to the user to extend the ordering, discovering ap- 
propriate ordering extensions can be a slow process for the user, so Knuth-Bendix can 
usually be expedited in this case by postponing unorderable equations for a time. This may 
allow generated critical pairs to become rewrite rules that reduce some of these unorderable 
equations, to make the equations orderable or make them disappear. 


If an automatic ordering is used, it is usually faster to compute the minimal complete extender 
set for unorderable equations before generating more critical pairs. This is because Knuth- 
Bendix typically generates the smallest, most useful equations first, and, with automatic order- 
ings, the overhead of searching for an appropriate registry extension is reduced. In this case, 
an equation should probably only be postponed if there exists no registry under which it is 
ordered. 


Both of these possibilities are considered here. Section 4.2 describes Huet’s improved ver- 
sion of Knuth-Bendix. Section 4.3 presents our standard failure-resistant Knuth-Bendix 
scheme, especially appropriate for implementations of orderings that provide only partial help 
for extending the ordering. Section 4.4 indicates how the. procedure can be appropriately 
modified for automatic orderings by switching two of the Knuth-Bendix tasks. Both of the 
failure-resistant schemes are provided in REVE. 


tas noted in Section 3.5, Lescanne is currently working on an automatic ordering implementation of EDOS. 
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4.2 Huet’s Version 


Huet’s formulation of Knuth-Bendix [Huet 81] is presented in Figure 4-2, which makes use of 
the functions in Figure 4-1. The initial input to the procedure is a reduction ordering, >, and 
a set of equations, &. The rewriting system, %, is represented by a set of triples. Each triple 
consists of a rewrite rule, an integer label, and a flag, in that order. If the flag is *, the rewrite 
rule is considered to be "marked"; if the fiag is °, the rule is "unmarked." Since the proce- 
dure preserves the invariant that no rewrite rule occurs in more than one triple in %, a triple 
can be denoted by its rewrite rule. As in Figure 2-7 on Page 29, repeat means "go to the first 
statement of the'smallest enclosing loop." 


Figure 4-1: Auxiliary Functions Used by Figure 4-2 


Normail(t, %) _= Anormal form of the term t with respect to the rewriting system % 
Unorderable(s =t) = (s > t) and (t > s) 

Order(s = t) = ifs > t then s—+t else ts 

CriticalPairs(r, r’) - Set of ail critical pairs between the rules r and r' 


AnyOf(8) ~ = Any equation in the set & 


Huet’s version of Knuth-Bendix is more efficient than the original. It achieves this efficiency 
with two key optimizations: 


e Huet’s procedure generates the critical pairs between any two rewrite rules only 
once, whereas the original procedure begins again to look for critical pairs 
among all rules during each iteration through the main loop. The speed-up at- 
tained in Huet's formulation can be substantial, since the unifications required in 
computing critical pairs can be time consuming. 


e Huet’s procedure does not "normalize" the entire rewriting system each time a 
rewrite rule is added. Rather, it uses the fact that the rewriting system is com- 
pletely normalized prior to adding an additional rewrite rule, and that only those 
rewrite rules whose left or right-hand sides can be rewritten by the new rule will 
not be in normal form once the rule has been added. Furthermore, unlike the 
original Knuth-Bendix, Huet's procedure does not re-order rewrite rules whose 
right-hand sides are rewritten during normalization but whose left-hand sides are 
left intact. This re-ordering is unnecessary because such rules will still be or- 
dered under the reduction ordering. 
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Figure 4-2: Huet's Formulation of the Knuth-Bendix Completion Procedure 


R:= {};n:=0 
loop 
while & # {} do 


Find non-joinable critical pair: 
(s=t):= AnyOf(&) 

'€:= &-{s=f} 
s':= Normal(s, %); t' : = Normal(t, %) 
ifs’ = t' then repeat endif 


Order equation: 
if Unorderable(s’ = t') then halt with failure endif 
(Ap) := Order(s’ = 1’) 


Normalize rewriting system: 
for each <y—y, i, (D in % do 
y':= Normal(y, {A-+p}) 
if y # y' then 
Bhi= W- {yp}; S:= SU {y'=p} 
else p’:= Normal(p, % U {A-p}) 
if *# p' then ®:= (%- {y—p}) U {<y—p’, i, 2>} endif 
endif 
endfor 


ni=n+1 
Ria RU {<A-p, n, >} 
endwhile 


Find an unmarked rule: 
for each <A—9, i, in ® do 
if Q = ° then goto Compute critical pairs endif 
endfor 
halt with success 


Compute critical pairs: 
for each <y—, k, ®> in & do 

itk <ithen&:= & U CriticalPairs(A—p, yp) endif 
endfor 


Mark the rule: 


B= (K-{<A-+p, i, °>}) U {KAp, i, ©} 
endloop. 
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Huet's Knuth-Bendix implementation removes some of the obvious inefficiencies of the 
original procedure. However, it is still the case that the reduction ordering must be given a 
priori, and it fails whenever an unorderable equation is generated. The next section describes 
how REVE’s Knuth-Bendix implementation attempts to address the latter two problems. 


4.3 A Failure-Resistant Knuth-Bendix 


This section presents REVE’s failure-resistant Knuth-Bendix implementation. ( [Forgaard 84] 
presents a preliminary version of these resuits '9.) The chief improvements of this version over 
Huet’s are: 


e REVE does not require that the reduction ordering be given a priori. The ordering 
may be extended during the course of running Knuth-Bendix. During this 
process, the user may undo previous decisions and restart Knuth-Bendix. 


e REVE’s Knuth-Bendix implementation does not fail when an unorderable equa- 
tion is found. The ordering may be extended to allow the equation to be ordered, 
or the equation may be postponed. Postponement might allow the equation to be 
reduced, to disappear, or to be ordered later. 


e REVE automatically postpones consideration of large equations. 


e REVE computes smaller critical pairs first, which can expedite the completion 
process. 


e REVE’s Knuth-Bendix incorporates the modification shawn in Figure 2-9 on Page 
33, to support the Huet-Hullot inductionless induction method (see Section 2.7). 


REVE's technique of computing small critical pairs is presented in Section 4.3.1. Section 
4.3.2 describes the use of user interaction in extending the ordering. Section 4.3.3 describes 
equation postponement in REVE, and Section 4.3.4 outlines REVE’s scheme for efficiently 
computing the normal forms of postponed equations. Finally, the task-based control flow in 
REVE’s Knuth-Bendix implementation is presented in Section 4.3.5. 


the tlexible attribute, described in [Forgaard 64], is unnecessary here, because we assume monotonicity in the 
ordering. 
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4.3.1 Computing Small Critical Pairs 


Huet’s scheme for computing critical pairs can be characterized as follows: Maintain the 
rewriting system as a list of rules. Each rule that gets added to the list is initially unmarked. In 
the critical pair computation step, choose an unmarked rule A-+p and compute all critical 
pairs between A— and itself, and between Ap and every rule above it in the list. Then, 
mark Ap. In this way, each distinct pair of rewrite rules is used only once. 


In [Knuth 70], the authors note that small pairs of rewrite rules are more likely to lead to small 
critical pairs. Small critical pairs are useful because they take less time to generate and tend 
to lead to more general rules than do larger critical pairs. It is often the case that these rules 
reduce larger rules and equations, thus reducing the number of larger critical pairs that need 
to be generated. 


Huet’s Knuth-Bendix will tend to generate small critical pairs if it chooses the smallest un- 
marked rewrite rule when computing critical pairs, thus using unmarked rules in increasing 
order of size.* However, this refinement does not always pick the smallest pair of rules that 
has yet to be considered, since there may be rules in the list, below the chosen rule Ap, that 
are smaller than some of the rules above A-9 in the list. This strategy will tend to generate 
smaller critical pairs before larger ones, so the latter problem can be partially alleviated by 
always appending new rules to the bottom of the list so that larger rules tend toward the 
bottom. 


If the list of rewrite rules is always maintained so that it is sorted by size, and if critical pairs 
with a chosen rule A-+p are calculated with rules above A-—+p in order from the top of the list 
down to A-p itself, the marking scheme will ensure that critical pairs are always calculated 
starting with smallest pair of rules that have not yet been considered. 


REVE uses a strategy for choosing pairs of rules that is a compromise between the above two 
schemes. The REVE method does not pair the chosen rule with large unmarked rules, nor 
does it incur the additional mechanism (and minor inefficiencies) associated with maintaining 
a sorted list of rewrite rules. Instead, REVE chooses the smallest unmarked rule A-+p, marks 
it, and then computes critical pairs between A—+p and every marked rule, including itself. 


14shis was the scheme employed in REVE 1. 
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Since all marked rules are “small" in the sense that each marked rule was at one time the 
smallest unmarked rule, this scheme tends to start with small pairs of rules and move up to the 
larger rules as Knuth-Bendix progresses. However, REVE’s method does not necessarily start 
with the smallest pair of rules that have not yet been used, since some critical pairs may get 
generated that are smaller than some of the marked rules. Note that REVE’s strategy, as with 
Huet’s, considers each possible pair of rules, and does so only once. 


Further ideas for computing small critical pairs first are presented in Section 6.2.4.1. 


4.3.2 Proving Termination Using User Interaction 


REVE’s Knuth-Bendix provides explicit support for orderings that give help to the user when 
an equation is unorderable, although any ordering (including ordering by hand) may be used. 
The ordering is chosen by the user. We assume here that some ordering that provides help 
has been selected. 


When REVE encounters an equation that the ordering is currently unable to order, the equa- 
tion is shown to the.user. He is also presented with any suggestions provided by the ordering. 
The user is then asked to choose an action from an appropriate subset of the choices shown 
in Figure 4-3. 


If the user picks Choice (1), the ordering is extended accordingly and the equation becomes 
ordered into a rewrite rule in the appropriate direction. 


Choice (2) puts the equation on the list of unoriented or incompatible equations. Choice 
(3) puts the equation on the deferred list. See the next section for a discussion of these lists. 


lf the user selects Choices (4) or (5), the equation gets added to the rewriting system, and 
REVE proceeds to try to complete it. (These choices are only allowed if the equation can be 
validly viewed as a rewrite rule in the selected direction.) If REVE succeeds, the user is 
warned that the resulting rewriting system may not be convergent because it is not 
guaranteed to terminate. Allowing this hand-ordering of equations is sometimes useful with 
equations that are not amenable to termination proof using the selected ordering. 


Choice (6) invokes the technique, discussed in Section 2.4, for converting one equation into 
two. The user is prompted to supply the new operator name. 
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Figure 4-3: Choos for Unerderte Beaton | 
(1) Extend the ordering in.some manner, presumably using the suggestions 
Provided bythe enderng's mplementation. 
(2) Postpone the equation for the time being. 
(3) Defer the equation. | 
(4) Accept the equation as 2 rewrite rule in the diesctien shown. 
(6) Accept the equation as a rewrite rule inthe reverse direction. 
(6) Divide the equation into two equations, introducing anew aperator. 
(8) Undo Knuth-Bendix. 
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In Section 4.3.1, we mentioned the usefulness of generating small critical pairs first. For 
similar reasons, it is advantageous to consider small equations first. Thus, REVE postpones 


large equations, in addition to the unorderable ones. 


REVE’s Knuth-Bendix implementation partitions equations into five lists. The equations that 
REVE has not yet tried to order are in the new list. The postponed unorderable equations are 
in one of the incompatible, unoriented, or deferred lists. The postponed large equations are 


in the big list. 


An incompatible equation is one that cannot be viewed as a rewrite rule in either direction, as 
discussed in Section 2.5. 


An unoriented equation is one that can be viewed as a rewrite rule, but is unorderable at the 


present time. 


A deferred equation is an incompatible equation, or an unoriented equation that the user 
believes will probably never be orderable. It is being postponed, rather than divided or hand- 
ordered, because the user hopes that a later rule will reduce the equation to make it or- 
derable. For example, the user should direct REVE to put cyclic equations, e.g., x+y =y+x, 
on the deferred list. In the future, REVE could be made to automatically put certain types of 
equations on the deferred list. 


REVE’s Knuth-Bendix implementation does not look at big equations until all other equations 
have been ordered or postponed, and all critical pairs have been computed. The number of 
symbols in every big equation is greater than or equal to 8, a special value maintained by 
REVE. The size of all other postponed equations is less than 8. The value of 8 is set so that 
no user-introduced equation is considered big. When REVE finally looks at the big equations, 
it considers them from smallest to largest, and the value of 8 is adjusted accordingly. 


4.3.4 Computing Normal Forms of Postponed Equations 

In every iteration of the inner loop of the version of Knuth-Bendix in Figure 4-2, an equation is 
selected and the normal forms of its two constituent terms are computed. Computing a 
normal form can be time-consuming. In the worst case, the left-hand side of every rewrite rule 
must be matched against each subterm of the term being reduced. In Section 6.2.2, we 
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discuss the efficient computation of normal forms in general. Here, we present REVE’s 


strategy for normalizing postponed equations. 


Before REVE postpones an equation, it replaces the equation by its normal form. When the 
equation is reconsidered later, it is already in normal form with respect to whatever rewrite 
rules were in the rewriting system when it was previously normalized. The equation can only 
be reduced further if it is reducible by a rewrite rule that has been added to the rewriting 
system since the last time its normal form was computed. If the equation can be reduced 
using one of the new rules, the entire rewriting system must be used to find the new normal 


form; otherwise, the equation is already in normal form. 


Though perhaps the most time-efficient strategy, it is probably prohibitively space-consuming 
to associate, with each normalized equation, the list of rewrite rules with respect to which the 
equation was normalized. Instead, REVE does the following: When an equation is ordered, 
the new rewrite rule is temporarily stored on a list of unused rules in addition to being added 
to the rewriting system. Before attempting to order any equations, REVE removes each 
rewrite rule from the unused list, and attempts to reduce each of the remaining postponed 
equations in the system with respect to that rule. Those equations that can be reduced by the 
unused rule are then changed into new equations, since they must be re-normalized using the 
entire rewriting system. No such normal form computation is necessary for the other equa- 
tions. In this way, all equations are maintained in normal form with respect to the rewriting 
system minus the unused rules. 


4.3.5 Knuth-Bendix Tasks and Organization 


In the original Knuth-Bendix procedure (Figure 2-7, Page 29) there is a main loop that con- 
sists of finding a non-joinable critical pair, computing its normal form, ordering it, and nor- 
malizing the rewriting system. In Huet's version (Figure 4-2), there is an inner loop that 
processes all of the equations, and an outer loop that computes more critical pairs once all 
the equations have been processed. Knuth-Bendix would remain correct if we instead com- 
puted critical pairs in the inner loop, and only converted equations to rules in the outer loop, 
when the critical pairs had been exhausted. However, it is implicit in the procedure’s formula- 
tion that the computing of critical pairs is a less "desirable" task than ordering equations. 
Indeed, critical pairs are expensive to compute, and one hopes that by first processing as 
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Figure 4-4: Tasks Performed by REVE’s Knuth-Bendix Implementation 


ReduceEquations: Remove a rewrite rule from the unused list, and attempt to reduce every 
postponed equation using that rewrite rule. Move, to the list of new equations, all equations 
that get reduced. Repeat with each unused rule until none remain. 


ConsiderNew: Remove an equation from the new list, and reduce it to normal form with 
respect to. the rewriting system. If the resulting equation is big, move it to the list of big 
equations. Otherwise, execute the algorithm in Figure 2-9 on Page 33. If the algorithm 
divides the equation into a set of new equations, add those equations to the new list. 
Otherwise, attempt to order the equation. Put the equation into one of 1) the list of unused 
rules and the rewriting system, 2) the list of incompatible equations, or 3) the list of unoriented 
equations, as appropriate. If the equation becomes a rule, normalize the rewriting system as 
per the procedure in Figure 4-2. Any rules that become equations as a result of normalization 
get added to the list of new equations. Repeat until there are no more new equations. 


Considerincompatible: Remove an equation from the incompatible list, and ask the user 
whether he wishes to divide or postpone the equation. Repeat until an equation has. been 
divided or all incompatible equations have again been postponed. 


CriticalPairs: Mark the smallest unmarked rule in the rewriting system, compute critical pairs 
between it and alt marked rales, including itself, and add the critical pairs to the list of new 
equations. If no critical pairs result, repeat. If there are no unmarked rules, do nothing. 


ConsiderUnoriented: Remove an equation from the unoriented list, and present the user with 
any suggestions, provided by the ordering’s implementation, for extending the ordering. Ask 
the user to choose one of the actions shown in Figure 4-3. if the equation gets divided, add 
the two new equations to the new list. Repeat until a new equation or rewrite rule has been 
generated, or all unoriented equations have again been postponed. 


ConsiderBig: Remove the smallest equation from the list of big equations, and adjust 8 so 
that the equation is no longer big. Process the equation in the same manner as for new 
equations in the ConsiderNew task (except that it is already in normal form). Repeat until a 
new equation or rewrite rule has been generated, or there are no more big equations. 


ConsiderDeferred: Remove an equation from the deferred list. if the equation is incom- 
patible, process the equation in the same manner as in the Considerincompatible task. 
Otherwise, process it as in the ConsiderUnoriented task. Repeat until a new equation or 
rewrite rule has been generated, or all deferred equations have again been postponed. 
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Figure 4-5: Assumptions that Determine the Relative Desirability of Tasks 


(1) Reducing equations to normal form is relatively cheap. It is also useful: as a 
result of this task, equations and rewrite rules can become smaller or disappear 
entirely. 


(2) Ordering equations (without user help) can result in more rewrite rules, which in 
turn can allow other equations or rules to be reduced. The benefits are not as 
direct as for reducing equations, but it is not computation-intensive. 


(3) An incompatible equation cannot be ordered, and user help is required to decide 
whether the equation should be divided into two. Nevertheless, dividing an in- 
compatible equation can be very beneficial. Each of the rewrite rules that come 
from the two resulting equations has at least one variable on its left-hand side 
that does not occur on its right. Consequently, when either of these rules is used 
to reduce a term, one or more subterms of that term are effectively eliminated 
during the reduction. incompatible equations occur infrequently, but their 
presence usually indicates an important underlying property of the equational 
theory that should be immediately incorporated into the completion process. 


(4) Computing critical pairs can be time-consuming. Critical pairs must be ordered 
before they can be of further use, so they only contribute indirectly to the reduc- 
ing of other equations. However, critical pairs are computed without user help. 


(5) To order an unoriented equation, user help must be solicited to extend the order- 
ing (if possible) or postpone the equation. Because of the user interaction, this 
task is not as desirable as the above tasks in the context of automatic theorem 


proving. 


(6) As mentioned previously, big equations are rarely helpful to Knuth-Bendix. It is 
more desirable to consider the unoriented equations first, even though user help 
is required, because they are smaller. 


(7) It is unlikely that any deferred equation is orderable. If there are any other equa- 
tions, all of them should be ordered or divided before the deferred equations are 
considered, with the hope that the deferred equations will reduce. Thus, con- 
sideration of the deferred equations is the least desirable task. 
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Figure 4-6: Flow of Control in REVE's Knuth- Bendix implementation 


while there are any equations do 
ReduceEquations 
ConsiderNew 
I there are any unused rewrite rules then repeat endit 
Considerincompatibhe | 
if there are any new equations then repest endl 
CriticalPaire 


if there are any new equations then repeat endif 
- Considertinoriented 


If there-are any new equations then repeat endit 

- ConskterBig 
it there are any unused rewrite rutes or non-deferred equations then a 
ConasiderDeterred 

endwhite 
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might initially choose a particular orientation for an equation that causes the completion 
process to diverge, with Knuth-Bendix generating an infinite set of critical pairs that are all 
orderable. AutomaticConstruction will not back up to reverse that equation in this case; the 
procedure is designed to work with a finite set of equations. See Section 6.2.4.2 for a discus- 


sion of implementing a fully-automatic Knuth-Bendix. 


REVE currently provides an implementation of AutomaticConstruction that converts a fixed 
set of equations into a terminating rewriting system (when possible), but, in the context of the 
completion process, the registry is not extended automatically. Instead, when using an 
automatic ordering with Knuth-Bendix and an unorderable equation is encountered, the min- 
imal complete extender set is presented to the user, and the user selects one of the minimal 
extenders (if any) to make the equation orderable. 
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any omitted arguments. Whenever REVE expects input, the user may type "?" to see the list 
of possible responses in the current context. The HELP command provides on-line documen- 
tation for each command, plus additional information on more general topics related to 
REVE’s use. 


REVE’s remaining commands fall into the following categories: 
e Handling the input, output, display, and deletion of the rules and equations 
manipulated by Knuth-Bendix. 


e Selecting the registered ordering to be used by Knuth-Bendix, and controlling the 
precedence and status map to be used by that ordering. 


e Invoking Knuth-Bendix and theorem proving. 
e Directly accessing rewriting and unification primitives. 


e Saving and restricting terminal input/output. 
The remainder of this section presents an overview of these capabilities. See the Appendix 
on Page 116 for a detailed description of each command currently available in REVE. 


5.2.1 System 


The user's current system of rules and equations may be read from, and written to, disk files 
and the user’s terminal. tndividual rules and equations may be deleted from the system, and 
the user will be warned if such deletion might compromise the correctness of Knuth-Bendix. 


In addition, the current system may be stored and retrieved in raw CLU object form'®. When a 
system has been fully or partially completed by Knuth-Bendix, the user may FREEZE, into a 
file, the entire system state, including all of the current rules and equations, the current 
registry, and the "undo" history stack. Later, the user may THAW the frozen system. 
FREEZE and THAW are particularly useful for saving completed systems that are of general 
utility, or for temporarily saving an incomplete session with Knuth-Bendix. 


16 This idea has been borrowed trom Affirm [Musser 80a]. 
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5.2.2 Ordering and Registry 


An ORDERING command is provided that allows the user to choose between EPOS and 
EDOS for the ordering that will be used by Knuth-Bendix. As indicated previously, EPOS 
computes the complete set of minimal extenders when an equation cannot be ordered, and 
EDOS currently computes > suggestions. Alternatively, the user can select the "manual” 
ordering, which causes REVE to present each equation to the user so that it can be hand- 
ordered. 


Normally, the user extends the current registry incrementally as each unorderable equation is 
considered by Knuth-Bendix. However, REVE commands for initializing, extending, and view- 


ing the current registry are also provided by the top-level command interpreter. 


5.2.3 Knuth-Bendix and Proofs 


The KB command invokes Knuth-Bendix on the current system. Knuth-Bendix can be inter- 
‘rupted at any time by typing tG (control G). The user can then invoke other commands, and 
subsequently continue the completion process. At any. time, UNDO (Section 4.3.2) can be 
invoked one or more times to return to any previous user interaction (e.g., to choose a dif- 
ferent minimal extender for an equation or to divide an incompatible equation), and Knuth- 
Bendix can be resumed from that point. 


Equational and inductive proofs are performed with PROVE. PROVE takes an equation as its 
argument, and attempts to prove that the equation is in the equational or inductive theory of 
the current system. PROVE first uses the current rewriting system to reduce the equation to 
normal form; if the two sides of the equation become equal, the theorem holds. Otherwise, if 
the current system has not been completed by Knuth-Bendix, Knuth-Bendix is automatically 
invoked (after user confirmation). If Knuth-Bendix terminates successfully, the equation is 
again normalized. If the two sides are equal, the equation is valid in the equational theory. 
Otherwise, after user approval, REVE automatically checks to see if the equation isin the 
inductive theory: the equation is added to the current system, and Knuth-Bendix is again 
invoked. If the procedure completes successfully, the user is told that the equation is an 
inductive theorem. If the procedure aborts with Huet-HuHot pseudo-inconsistency, the equa- 
tion is invalid in the inductive theory. 
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For Huet-Hullot inductionless induction to be sound, the user must declare HH-constructors 
using the HH-CONSTRUCTORS command prior to running Knuth-Bendix, and the system 
must be shown to satisfy the principle of definition with respect to these constructors. As 
noted in Section 2.7, this condition is undecidable, and REVE does not yet check for sufficient 
conditions. Currently, it is the user's responsibility to ensure that the definition principle 
holds. 


5.2.4 Basic Operations 


Basic rewriting primitives are invoked with the REDUCE and NORMAL-FORM commands. 
Both of these commands operate on a term given by the user. REDUCE reduces the term (if 
possible) once, using an arbitrary applicable rewrite rule from the current rewriting system. 
NORMAL-FORM computes the normal form of the term with respect to the current rewriting 
system, and also displays all intermediate reduced forms. If the term gets rewritten an in- 
ordinately large number of times and no normal form has yet been found, REVE assumes that 
rewriting will probably not terminate. In this case, the normal form computation stops, and the 
user is shown the last several intermediate reduced forms to help in identifying the source of 
the non-termination. 


The UNIFY and CRITICAL-PAIRS commands permit access to the primitive operations used 
by Knuth-Bendix. The UNIFY command accepts two terms as arguments, and displays their 
unification, or indicates that the two terms cannot be unified. The CRITICAL-PAIRS com- 
mand displays all the critical pairs, if any, that result from superposing two rewrite rules given 
by the user. 


5.2.5 Terminal Session 

The last category of commands control the terminal session itself, and are provided for user 
convenience. These commands are fairly independent of the application domain; they do not 
directly pertain to the rewriting and theorem proving capabilities of REVE. 


Two commands allow terminal interaction to be sent to a file at the same time it is seen on the 
screen. The SCRIPT command takes a file name, and sends all terminal input/output to that 
script file for later viewing. The LOG command causes all terminal input (only) to be stored in 
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next user interaction. Alternatively, most operating systems provide some separate means for 
controlling output'”. However, these capabilities are sometimes inoperable when the com- 
puter is accessed over a network from a remote host, so REVE’s page mode feature can be 


particularly useful for remote users. 


5.2.6 Possibie Enhancements 


REVE's line-oriented user interface provides on-line help facilities, a robust parser, and a 
flexible command interpreter. Many enhancements are possible, however, to extend its 
functionality and ease of use. This section presents some of the user interface improvements 


that are under consideration. 


The user interface could benefit from many features found in screen-oriented text editors. 
Multiple windows could be established, to allow the user to cut and paste, view, and scroll 
both input and output. Separate windows could also be established for the current rewriting 
system and set of equations, enabling the user to dynamically view the system changes ef- 
fected by Knuth-Bendix. 


There are many useful statistics that might be collected about a Knuth-Bendix run and 
provided to the user, to measure the complexity of examples, to identify REVE modules where 
efficiency optimizations are needed, etc. The original Knuth-Bendix paper [Knuth 70] used an 
“efficiency rating" — a ratio of “useful” derived rules to the total number of derived rules — 
to measure the effectiveness of the procedure. Other statistics possibilities are the number of 
rewrites, number of unifications, average ratio of number of equations to number of rules, 
largest number of equations at any one time, number of critical pairs, average number of 
rewrites required when normalizing a term, size of largest critical pair, number of user inter- 
actions required, time spent in rewriting, time spent in unification, time spent in ordering 
equations, and total time spent in completing the system. 


Type checking has been found to be a useful facility when developing large programs. 
Similarly, sort'® checking can be useful when using large sets of equations in REVE. REVE 


For example, when REVE runs under Unix, tS and tQ can usually be typed by the user to stop and start output. 


B sons in algebra are analogous to types in programming languages. 
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5.3.1 Group Theory Example 


To begin the group theory example, we start up REVE, and use the READ command to input 
the axioms shown in Figure 5-1 (which are the same axioms as in Figure 2-1 on Page 19) from 
a previously-prepared file. Alternatively, we could invoke the TERMINAL command and type 
the group axioms directly. Either way, REVE responds by displaying the current contents of 
the system at the terminal. We use the ORDERING command to set the current registered 
ordering to be the automatic ordering EPOS. 


Figure 5-1: Axioms for Group Theory 


(1) e*x =x 
(2) x-tex we 


(3) (x*y)°z = x*(y*z) 


We then invoke the:-KB command to start the Knuth-Bendix procedure on the group axioms. 
REVE will display, among other things, each equation as it becomes ordered, and the critical 
pairs that get computed. Even though the current registry is empty, EPOS (because it Is a 
simplification ordering) is able to order the first group axiom into the rule eex—x. The two 
sides of the axiom x~'sx =e are not orderable under the empty registry, however, so REVE 
presents the two minimal extenders “~' > e" and "* > e" to us, and we are told that either 
one will order the equation into a rewrite rule from left to right. We arbitrarily choose the first 
extender, REVE orders the equation, and Knuth-Bendix continues. We are prompted to select 
minimal extenders for two more unorderable equations during the completion process. All 
critical pairs are equational consequences of the original axioms. Along the way, we see 
various critical pairs that reveal that the left identity, e, is also a right identity; e is its own 
inverse; the left inverse, ~', is also a right inverse; and (x7")"! = x (which is Equation 1 on Page 
18) is in the equational theory. When Knuth-Bendix completes, REVE prints the completed 
system shown in Figure 2-8 on Page 30. 


The compieted system gives us a decision procedure for group theory. We can now prove, 
for example, that (x7! + y“1)"1 sy » (x71 « e)"! (which is Equation 4 on Page 30) is a theorem by 
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using the PROVE command. This causes REVE to reduce both sides of the equation to 
normal form and compare the normal forms for equality. REVE indicates that the equation is, 


indeed, an equational theorem. 


5.3.2 Fibonacci Function Example 


In this section, we use inductionless induction to prove that two characterizations of the 
Fibonacci function, fib and ofib, are equivalent. [Lescanne 83a] contains a terminal session 
with REVE 1 on this example. The interested reader may wish to consult [Lescanne 83a] to 
compare the use of REVE 1 (there) with REVE 2 (here). 


We read the equations shown in Figure 5-2 into REVE. The first two equations define addition 

in terms of the zero and successor functions of Peano arithmetic. The third equation is an 

inductive theorem of addition. We have introduced it as an axiom here, because we are 
interested in proving properties about fib, rather than +. The last three equations comprise 

the classical definition of the Fibonacci function, fib. 


Figure 5-2: Equations Describing the fib Function 


(1)0 + x=x 
(2) s(x) + y= s(x + y) 
(8) (x + y) + z=x + (y + 2) 
(4) fib(0) = 0 | 
(5) fib(s(0)) = s(0) 


(6) fib(s(s(x))) = fib) + fib(s(x)) 


We will want to use Huet-Hullot inductionless induction (see Section 2.7), so we use the 
HH-CONSTRUCTORS command to declare 0 and a the constructors of nonnegative integers. 
It is our responsibility to declare appropriate HH-constructors, and to verify that our axioms 
satisfy the principle of definition with respect to those HH-constructors. We then invoke 
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_Knuth-Bendix. We are asked to choose minimal extenders for two unorderable equations 
during the completion process. Knuth-Bendix finds no non-joinable critical pairs along the 
way, so the resulting convergent rewriting system contains just the original axioms (ordered). 


Since the irreducible ground terms in this system are exactly those that consist solely of 0 and 
s, the normal form of fib(n) (where n is built with 0 and s) is the n'th Fibonacci number. Thus, 
we might use the NORMAL-FORM command at this point to find that tib(s(s(s(s(0))))) is 
s(s(s(0))). | 


We now add the three equations in Figure 5-3, which describe cfib, to the system. The 
equation j 

fib(x) = dfib(x, 0) (6) 
directly expresses the meaning of fib in terms of dfib. We invoke PROVE to verify that this 
equation is a theorem of the above equations and rewrite rules. PROVE finds that both sides 
of Equation 6 are irreducible with respect to the current rewriting system, and thus the normal 
forms are not identical. The equation might still be an equational theorem, however, since the 
current system (consisting of the previously-compieted convergent rewriting system and the 
equations in Figure 5-3) is not complete. Consequently, PROVE automatically invokes Knuth- 
Bendix, after user confirmation. 


_ Figure 5-3: Equations Describing the ofib Function 


(1) ofib(0, y)=y 
(2) dfib(s(0), y) = sty) 


(3) dfib(s(s(x)), y) = dfib(s(x), dflb(x, y)) 


When considering the third equation in Figure 5-3, 

Ofib(s(s(x)), y) = dfib(s(x), dtib(x, y)) (7) 
REVE presents the user with three minimal extenders: either ¥(dfib) = @ or ¥(dfib) = ® will 
order the equation from right to left, and ¥(dfib) = © will order the equation from left to right. 
We choose }/(ofib) = @. Accordingly, REVE reverses Equation 7, converts it to a rewrite rule, 
and Knuth-Bendix continues. At this point, the completion procedure diverges: it starts 
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generating an infinite set of ever-larger rules. In some cases, this difficulty can be averted by 
choosing a different orientation for a previous equation. We interrupt Knuth-Bendix by typing 
+G, and invoke the UNDO command, which backs:up the completion process to the last user 
interaction. (We can perform successive UNDOs to return to any previous interaction.) in this 
case, we are again presented with Equation 7. This time, we choose the minimal extender 
¥(cfib)= ©, and Knuth-Bendix completes successfully. it can be difficult, even for ex- 
perienced users, to choose an appropriate minimal extender for an unorderable equation. 
This is one reason why the UNDO command is so useful. 


This Knuth-Bendix run was actually performed as part of the PROVE command. Since Knuth- 
Bendix has successfully terminated, PROVE again checks whether Equation 6 is an equa- 
tional theorem. It is not, so PROVE automatically uses inductioniess induction (after user 
confirmation). This entails adding Equation 6 to the system, and running Knuth-Bendix once 
again. 


After asking the user to pick minimal extenders for two unorderable equations, Knuth-Bendix 
diverges. Further experimentation would reveal that choosing other minimal extenders for the 
equations will not soive the problem. This situation can often be alleviated by first finding and 
proving an inductive lemma that may help in proving the theorem of interest. We interrupt 
Knuth-Bendix, cancel the proof with the CANCEL command, and attempt to prove the lemma 

fib(x) + y = afib(x, y) (8) 
We hope that this equation, which is a more general version of Equation 6, may be easier for 
Knuth-Bendix to handle. 


PROVE finds that Equation 8 is not an equational theorem of the system. Therefore, PROVE 
adds the equation to the system, runs Knuth-Bendix, and the system completes successfully. 
PROVE announces that Equation 8 is an inductive theorem of the system (though, as noted 
above, the soundness of this inductiontess induction scheme requires that the initial system 
satisfy the principle of definition, which must be verified by the user). !f the algorithm in 
Figure 2-9 on Page 33 had halted with pseudo-inconsistency, REVE would have told us that 
Equation 8 is not valid in the inductive theory of the system. 


Having proven the lemma, we return to proving the original theorem of interest, Equation 6. 
This time, Knuth-Bendix completes, and the inductionless induction proof of Equation 6 is 
successful. 


Chapter 5 : The REVE Program 


5.4 Internal Structure of REVE 


This section gives an overview of the major modules in REVE, and how they interact. This 
information is primarily intended for programmers who wish to extend REVE or adapt it to 
their purposes. Throughout this section, names in boldface are module names in REVE’s 
implementation. There are many minor and general purpose modules that are not discussed 
here; e.g., set, list, mapping, and scanner. Also, we omit discussion of modules that are 
used only by the orderings, the unification algorithm, and the user interface. 


REVE is written in the programming language CLU [Liskov 81], which provides mechanisms 
for data abstraction (c/usters), procedural abstraction (procedures), and control abstraction 
(iterators). in CLU, a module is either a cluster, procedure, or iterator. A cluster has a 
concrete representation type, called the rep, for the abstract type it implements, as well as a 
set of operations for manipulating objects of the abstract type. These cluster operations, 
which are themselves procedures or iterators, are the only means of manipulating objects of 
the corresponding abstract type. The abstract type implemented by a cluster may be 1) 
mutable, which means that the state (value) of objects of that type can be changed, or 2) 
immutable, which means that any object of that type, once created, always has the same 
state. 


Figure 5-4 is a module dependency diagram for most of the clusters and procedures that we 
will discuss here. There is an arc from a module, A, to another module, B, if A directly uses B 
in its implementation. 


5.4.1 Registry, Precedence, and Status/Arity Map 


The registry stores all operator information needed by REVE. Like the mathematical notion 
of registry introduced in Section 3.2.3, a registry consists of a precedence and status map. 
in addition, the registry stores the arity of each operator. REVE uses the arity information to 
ensure that each operator always has the same arity in all terms that are read as input. in the 
future, if sort information is incorporated into REVE (see Section 5.2.6), the signature (domain 
and range sorts) of each operator will also be stored in the registry. The. registry preserves 
the invariant that it be consistent (Section 3.2.3) with respect to its precedence and 
status/arity map components. 
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Figure 5-4: Module Dependency Diagram for the Major Modules in REVE 
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The precedence cluster is implemented as a labelled directed acyclic graph. The nodes are 
operators, and there are two kinds of edges: > and =. If f > g, there is both a > anda = 


edge from f to g. The precedence maintains the invariant that it be consistent (Section 
3.2.3). ss 


The status/arity map is a mapping from operators to their status and arity. If an operator 
has not been assigned a status, its status is recorded as ©. 
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5.4.2 EPOS and EDOS 


The implementation of Knuth-Bendix is independent of the particular ordering being used. It 
requires only that an ordering module provide two procedures that attempt to order an equa- 
tion: a quiet procedure that does not interact with the user, and a user procedure that may 
obtain user assistance. The quiet procedure is used by the ConsiderNew and ConsiderBig 
tasks (see Figure 4-4 on Page 81), and the user procedure is used by the ConsiderUnoriented, 
Considerincompatible, and ConsiderDeferred tasks. Both procedures have access to the 
registry. The quiet procedure just returns the result of comparing the two terms, and does 
not change the registry. The user procedure may return the comparison, or may inform 
Knuth-Bendix that the user wishes to postpone the equation, divide it into two, interrupt 
Knuth-Bendix, or "undo.". In addition, the user procedure may extend the precedence and 


status map in the registry. 


EPOS and EDOS are the two orderings currently available in REVE. The quiet procedure in 
both of these modules merely checks. whether an equation is currently orderable, in either 
direction, under that ordering. The user procedures of EPOS and EDOS compute minimal 
extenders and > suggestions, respectively, for each unorderable equation. The COS module 
is shown in Figure 5-4 for illustrative purposes, to indicate how future ordering implemen- 


tations will fit into REVE’s internal structure. 


5.4.3 Unify and Overlap 
The procedure unify takes two terms and returns the most general unifier of those terms. 
The unification algorithm currently used in REVE is that of Martelli & Montanari [Martelli 82], 


whose efficiency compares favorably with other algorithms on typical examples. 


The procedure overlap takes two rewrite rules, computes the superpositions associated with 
each overlap between the left-hand sides of the two rules, and returns all of the critical pairs 
resulting from those superpositions. This procedure is the heart of the confluence test in 
Knuth-Bendix. 


Rewriting system implements the 
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5.4.4 Term, Rewrite Rute, and Equation 
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4.3.1). There is a special rewriting system operation that returns a list of all marked rewrite 
rules plus the smallest unmarked rewrite rule, and marks the latter. Knuth-Bendix computes 
critical pairs between the latter rule and all the marked rules. 


To improve performance, REVE borrows an idea from Affirm [Musser 80a]: Stored in the rep 
of the rewriting system is a hash table that maps operators to buckets of "pointers," where 
each "pointer" points to a rewrite rule in the marked list or the unmarked list. The root 
operator of the left-hand side of each rewrite rule serves as the hash key for that rule. When 
reducing a term or subterm, ft = f(...), the rewriting operation only needs to try the rules 
referenced by the bucket associated with f. Rules not referenced by "pointers" in that bucket 
will not match f. 


An equational system consists of all equations to which Knuth-Bendix is being applied. 
The equations in an equational system are divided into five lists, as described in Section 
4.3.3: new, unoriented, incompatible, deferred, and big. Special operations are provided for 
manipulating these lists and for computing the current value of £. 


A system contains 4 rewriting system and an equational system. Its key operation is 
the failure-resistant Knuth-Bendix procedure described in Chapter 4. By encapsulating the 
Knuth-Bendix equations and rewrite rules within a single system data abstraction, and thus 
controlling access to the data being manipulated by Knuth-Bendix, the integrity of the 
completion process can be maintained. Also contained in the rep of a system are: 


@ The ordering being used by Knuth-Bendix. 

e The list of unused rewrite rules. 

e The set of HH-constructors. 

e The name of the Knuth-Bendix task currently being executed. This is used when 
the user interrupts Knuth-Bendix, and later asks REVE to resume completing the 
system. 

e The history stack, used to implement the “undo” facility in Knuth-Bendix. 


@ Total Knuth-Bendix running time for the current system, less all time lost along 
decision paths that were subsequently cancelled with “undo.” 


e The tracer (see the next section). 
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5.4.6 Laboratory and Tracer 


The laboratory operations correspond to all of the useful functions available in REVE that 
are not related to the user interface. Together, they form a rewrite rule laboratory. (The 
laboratory cluster is not shown in Figure 5-4. It uses almost all of the modules in the figure.) 
A user interface to REVE need not make direct use of any modules below the laboratory. 
Applications that wish to use REVE’s capabilities can be built directly on top of the 
laboratory cluster. 


At the present time, there is only one user interface to REVE. This interface reads input from 
the user's terminal or from files, invokes the desired laboratory function, and prints the 
results on the user’s screen. Most user interaction is orchestrated directly by this user inter- 
face module. 


There are some interactions with the user for which it is not convenient to use the top-level 
user interface. Prominent among these are the informational messages printed by Knuth- 
Bendix, and the choosing of minimal extenders by the user. For these situations, the tracer 
module is provided. Ali modules below the level of laboratory perform ail of their Input and 
output to the terminal through tracer. Tracer provides a different procedure for each pos- 
sible type of output message produced by REVE. Although the tracer supports various levels 
of output (see Section 5.2.5), this feature is invisible to the modules that use it: tracer merely 
filters out those display messages that are not appropriate for the current tracing level. If 
desired, the tracer module implementation can be easily changed to support a different style 
of user interface. 


101 


Chapter Six 


- Summary and Conclusions 


This chapter presents a summary of the thesis, indicates some areas of future implementation 
and research, and reflects on the development of REVE. 


6.1 Summary of Contributions 


In this thesis, and the associated implementation work, the author has: 


e Presented the basic theory of term rewriting, and equational and inductive proofs, 
in a manner that should be accessible to computer scientists who are not familiar 
with the area. 


e Developed a method for automatically constructing a terminating rewriting sys- 
tem from a set of equations. This method,-based on simplification orderings, uses 
new algorithms that compute minimal complete extender sets for unorderable 
terms. The orderings supported by the method include improved, fully extensible 
versions of existing orderings, and a recent closure ordering. 


e Designed and implemented a new failure-resistant version of the Knuth-Bendix 
completion procedure, particularly well-suited to automatic theorem proving ap- 
plications. It features a strategy for automatic postponement of unorderable 
equations that considers “easier” equations first, an “undo" facility that can back 
up the completion process to change the response at any previous decision 
point, and support for the Huet-Hullot "inductionless induction” method. 


e Designed and implemented most of REVE 2, a production-quality program that 
incorporates the above ideas in a powerful, user-friendly system that Is suitable 
for theorem proving and experiments in term rewriting. The REVE source code is 
modularly designed and carefully documented, in the hope that it may provide the 
basis for experimental implementations in this area by other researchers, and 
thus expedite the development process. 
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6.2 Current Limitations and Ideas for the Future 


REVE continues to be enhanced, both with new features and fine tuning. We list here some of 
the improvements that are either under development or under consideration. 


6.2.1 A Rewrite Rule Laboratory 


A primary goal of REVE 2 is to provide a solid source code base upon which one can easily 
build implementations of experimental programs in the rewriting area. Unfortunately, since 
REVE is written in CLU, making changes or additions to REVE requires some recompilation. 
As explained below in Section 6.3, we feel that CLU’s advantages outweigh this disadvantage. 
Nevertheless, it is worthwhile looking at another software system, RRL, that provides many of 
REVE'’s features in an interpretive language environment. 


Kapur & Sivakumar’s Rewrite Rule Laboratory (RRL) [Kapur 84a] is an environment for ex- 
perimenting with algorithms for manipulating term rewriting systems and equational theories. 
Its goals differ from those of REVE 2, primarily in that RRL emphasizes easy experimentation 
and de-emphasizes automatic theorem proving. Accordingly, RRL has been written partially 
in Musser’s interpreted language, L [Musser 84], and partially in LISP. L is based on LOGO 
and LISP and has been designed with the RRL application in mind. L will also serve as the 
command language for RRL and the language in which a user can interactively program small 
experiments. To build on RRL or change an existing function, the user need only type in a 
new or replacement function, written in L. No recompilation is necessary. 


RRL currently lacks REVE’s scheme for constructing terminating rewriting systems automati- 
cally, and the failure-resistant Knuth-Bendix implementation. Conversely, REVE currently 
lacks many of RRL's facilities for experimentation, such as different rewriting/normalization 
strategies (see Section 6.2.2, below), different strategies for computing critical pairs, and 
different unification algorithms. Both the REVE project and the RRL project have profitted in 
the mutual exchange of information and ideas between our respective research groups. 


103 


Chapter 6 ‘i Summary and Conclusions 


6.2.2 Rewriting 


Term rewriting is the heart of REVE. This section presents methods for improving rewriting 
efficiency and extending REVE’s rewriting capabilities. See also Section 6.2.4.3, where equa- 
tional rewriting is discussed. , 


In a simple approach to rewriting, reducing a term with respect to a rewriting system might 
require matching each subterm of that term with the left-hand side of each rewrite rule in the 
rewriting system. As noted in Section 5.4.5, REVE uses Affirm’s [Musser 80a] hash table idea 


to increase rewriting speed. 


Affirm also uses pattern-match compilation (PMC) [Guttag 78b] to improve the efficiency of 
performing reductions. In PMC, all rewrite rules with the same root operator on the left-hand 
side get compiled into a single LISP function that reduces any term that has that root 
operator. If the rewriting is successful, this function calls the appropriate function to further 
reduce the rewritten term. The LISP functions are stored in a hash table (a LISP a-list), where 
the root operator is the hash key, as described above. This idea cannot be directly imple- 
mented in REVE; CLU is a compiled language, so CLU functions cannot be both created and 
invoked while REVE is running. However, each LISP function could probably be closely 
simulated with a special data structure, call it a multi-rule, that represents all rules in the 
rewriting system that have a given root operator on the left-hand side. It is likely that a fast 
interpreter for multi-rules could be written in CLU. | 


Plaisted [Plaisted 83] has advanced an idea to speed up normal form computations. He 
suggests associating a hash table with the rewriting system, where the hash keys are terms 
and the values stored in the hash table are rewrite rules. Whenever the normal form, t,, of a 
term, t,, is found, one adds the rule t,t, to the hash table under the hash key t,. When 
computing the normal form of a term, ty» first hash ty and try to match ft, against the left-hand 
sides of each rewrite rule in the resutting hash bucket. If a match is found, rewrite ty using 
that rewrite rule, and then compute the normal form of the resulting term with respect to the 


rewriting system. In this way, several reduction steps can often be skipped. 


REVE uses a “leftmost-outermost" strategy to rewrite a term, ft: it attempts to rewrite f at its 
root using each of the rules in the rewriting system. If this is unsuccessful, REVE then 
attempts to rewrite each of the immediate subterms of t using each rewrite rule, and so on. 
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Kapur & Sivakumar have compared this strategy with three others [Kapur 84a], in the context 
of computing normal forms. Each of these four strategies has been implemented in RRL. In — 
their experiments, Kapur & Sivakumar have found one strategy that is often. faster than 
leftmost-outermost. It is a modification of leftmost-innermost that recognizes that certain 
subterms have already been normalized. As in RRL, it may be useful to allow the user to 
choose from among these strategies for experimentation purposes. Also, if the modified 
leftmost-innermost strategy is found to be faster than leftmost-outermost on most typical 
examples, it may be worthwhile using the former strategy as the default in REVE. 


Additional expressive power for equational specifications can be obtained by associating a 
Boolean condition with each equation. The semantics of a conditional equation are that the 
equation holds whenever the condition is true. For example, with an equation that defines 
division, one might associate a condition that the divisor be non-zero. Such a specification — 
can be converted into a conditional rewriting system, where a rewrite rule can only be used 
for rewriting if its condition is true for the term being rewritten. The conditions associated 
with the rewrite rules also affect the proof of termination and the Knuth-Bendix completion 
procedure. Zhang has implemented, using REVE’s modules, the prototype of & program for 
validating conditional specifications using conditional term rewriting techniques, based on his 
work with Remy [Remy 8&4, Remy 85]. This work will be incorporated into ECOLOGISTE 
[Barros 84], a structured specification support system. 


6.2.3 Simplification Orderings 


The simplification orderings used in REVE are instances registered orderings, all of which are 
descendants of Dershowitz’ recursive path ordering. This section describes a method for 
extending registered orderings further, and presents a simplification ordering that is not 
parameterized on registries. 


In some cases, before using a registered ordering to construct a terminating rewriting system 
‘from a set of equations, it may be useful for the user to designate a particular constant 
operator in the system as being the /east constant. This constant is, by definition, less than or 
equal to every other operator in the precedence. Thus, under RPOS, EPOS, EDOS, and COS, 
it is also less than or equal to every term that consists only of operators in the system. The 
definitions of these registered orderings can be extended to use this information, by consider- 
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ing the least constant to be less than or equal to every variable. This allows these orderings to 
prove the termination of additional rewriting systems"®. isabelle Gnaedig of the Centre de 
Recherche en Informatique de Nancy (CRIN) has implemented the least constant extension of 
RPOS in an experimental version of REVE. Francoise Bellegarde, also of CRIN, has found this 
feature to be important in her use of REVE to prove theorems about FP [Backus 78] programs 
[Bellegarde 84], taking the identity function to be the least constant. 


Registered orderings are among the most commonly-used classes of simplification orderings. 
Another relational in popular use, which is not parameterized on registries, is the polynomial 


ordering. 


Lankford [Lankford 79a] and Dershowitz [Dershowitz 79b] have suggested associating a poly- 
nomial, F(a,, iaey a,): with each n-ary operator, f, in the system. This mapping extends to a 
morphism, p, on terms by letting B(F(t,, 1 t,)) = F(u(t,), --, p(t,)). The polynomial ordering, 
>[s], on the relation is defined as s >-[p] t if and only if z(s) > p(t) for all assignments, u(x), 
to the variables in s and t. 


Note that >[,] is a partial ordering. However, >[j] is not necessarily a simplification order- 
ing. For any given p, compatibility and the subterm property must be shown separately. 
Dershowitz suggests using polynomials over the real numbers. |n this context, for any rewrit- 
ing system, %, it is decidable [Tarski 51] whether there exists a » such that >[] is a 
simplification ordering that proves the termination of %. However, this is not yet a practical 
method for proving termination, since existing decision procedures [Cohen 69] require super- 
exponential time. 


Lankford suggests restricting the polynomials to those over the positive integers. All such 
polynomiais have the compatible and subterm properties, so >[,] is a simplification ordering 
in this setting. However, for positive integer polynomiais, it is undecidable whether there 
exists a p for % such that >[] proves the termination of %. Nevertheless, for a proposed y, it 
is often possible to check, by hand, whether j1(s) > p(t) for all assignments to the variables, 
and for every rule s—t in %. This is typically accomplished, for each rule, by factoring the 
polynomials y(s) and y(t), and dividing out the common factors. (Such dividing is permitted 
because no factor is equal to zero, since the polynomials range over positive numbers.) 


Weor example, the termination of {f(g(x))—+9(a)}, where g > /, can be proven using the least constant extension 
of any of these orderings, if a is the least constant. 
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When registered ordering implementations are not available, the polynomial ordering (using 
polynomials over the positive integers) is sometimes easier to use than registered orderings 
when proving termination by hand. However, the main reason for incorporating the polyno- 
mial ordering into REVE is that there are rewriting systems whose termination cannot be 
proven with existing registered orderings, but can be proven with the polynomial ordering”. 
The converse is also true [Dershowitz 83c], so both registered orderings and the polynomial 
ordering should be provided in REVE. Implementing the polynomial ordering will not be easy. 
It is difficult to develop procedures for comparing polynomials, and for automatically deriving 
an appropriate p for a given %, that are sufficiently powerful to be generally useful. Lescanne 
and Alhem Bencheriffa are studying these problems for REVE. 


6.2.4 Completion Procedure 

REVE derives its theorem proving capabilities from the Knuth-Bendix completion procedure. 
This section discusses methods for improving the efficiency of Knuth-Bendix, making it fully 
automatic, augmenting it to allow for rewriting modulo a set of equations, extending it to 
handle first-order predicate calculus, and using it in alternative inductioniess induction 
schemes. . 


6.2.4.1 Computing Small Critical Pairs 

As discussed in Section 4.3.1, smaller critical pairs are more desirable than larger ones. It is 
difficult, if not impossible, to determine the size of a critical pair in advance (in general). 
However, Section 4.3.1 notes that it is a good heuristic to pick a small pair of untried rewrite 


rules with which to compute critical pairs. 


Since critical pairs are expensive to compute, it is useful to generate only a few critical pairs 
at a time. If these can be ordered into rules, they might reduce or eliminate larger rules, 
reducing the number and size of other critical pairs that must be computed. 


Section 4.3.1 noted that if we keep the rules sorted and always pick the smallest unmarked 
rule, the marking scheme will always use the smailest pairs of untried rules. A drawback, 
though, is that many critical pairs get generated at once. 


Done such rewriting system, encountered in Bellegarde’s work, is {f(g(x), gly))—g(f(x, y)), Mx, fy, 2) 
Kix, y), Z), A(x, oY). GNA Kx, offly, z))}. 
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We can generate fewer critical pairs at once if we pick the smallest pair of untried rules, and 
only compute the critical pairs between those two rules before attempting to order the critical 


pairs. This scheme requires more bookkeeping. 


RRL extends this idea further, by generating critical pairs one at a time. Once the smallest | 
pair of rewrite rules has been identified, only one critical pair (if any exist) is generated from 
the pair of rules. After handling the critical pair (e.g., by ordering it into a rewrite rule and 
normalizing the rewriting system accordingly), if that same pair of rules is still the smallest 
pair, the next critical pair between those rules is generated, and so on. | 


6.2.4.2 Fully-Automatic Knuth-Bendix 
The Knuth-Bendix completion procedure, as implemented in REVE, does not yet work fully 
automatically. User interaction is required to: 
(1) Choose one. of the minimal extenders to try, whenever an equation is not or- 
derable. 


(2) Invoke the Knuth-Bendix "undo" command when (for some compatible equation) 
there are no further minimal extenders to try. 


(3) Decide whether an incompatible equation should be divided, and, if so, what the 
name of the new operator should be. 


(4) Interrupt Knuth-Bendix and invoke "undo" when it appears that the completion 
process is diverging, possibly because of some "bad" decision made earlier in 
the completion process. 


Let us assume that we are using the automatic method for constructing a terminating rewrit- 
ing system from a set of equations, as. described in Section 3.6. This will automatically handle 
(1) and (2) above. Similarly, assume that REVE can automatically introduce a non-conflicting 
operator name when an incompatible equation is divided", so that (3) reduces to a decision 
of whether or not to divide the equation. in this context, a decision path for a system is a 
sequence of choices, one choice for each equation that requires a decision (choosing a 
minimal extender for a compatible equation or choosing whether or not to divide an incom- 
patible equation) as Knuth-Bendix proceeds. 


= Lescanne's REVE 1 provided this capability. 
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Knuth-Bendix could be fully automated by pursuing all possible decision paths for a system, 
to handle (3) and remove the need for (4). Recall that REVE uses a system data abstraction 
to store all state information required by Knuth-Bendix (see Section 5.4.5). At each decision 
point during the completion process, REVE could make duplicate copies of the current state 
of the system, one for each possible decision at that point, and put them into a process 
queue. REVE could then continue to complete each of the systems in the queue 
“simultaneously” by alternately running Knuth-Bendix for a short time on each of them. 
When any of these systems reaches another decision point, more system copies could be 
spawned, and so on. In effect, there would be one system in the process queue for each 
possible decision path. When any of the systems reaches a dead end (for some unorderable 
equation, there are no minimal extenders to try), that system would get deleted from the 
queue. Also, if criteria can be found that identify systems that are definitely diverging, such 
systems would also get deleted from the queue. If some decision path successfully 
produces a completed system, the process would stop. Since REVE would run Knuth- 
Bendix on each system in the process queue in an alternating fashion, the entire process 


would diverge only if all decision paths diverge. 


As described here, it may appear that the fully-automatic Knuth-Bendix procedure would be 
hopelessly inefficient. However, as noted in Section 3.6, backtracking to choose different 
minimal extenders is usually not required. Also, most examples found in practice do not 
generate incompatible equations, so there are usually no decisions for dividing equations. 
Consequently, the speed of the scheme described above could probably be improved, in most 
cases, by giving running preference to the first system, and only pursuing other decision 
paths if the first system reaches a dead end, or requires an unusually long time to complete. 


6.2.4.3 Equational Term Rewriting Systems 
The correctness of Knuth-Bendix requires that the rewriting system terminate at each step of 
the procedure. As noted in Section 2.6, this requirement disallows the use of equation sets 


that include, e.g., the useful commutative equation x + y =y +x. 


To handle this problem, Huet [Huet 80b] and Peterson & Stickel [Peterson 81] have extended 
the Knuth-Bendix procedure to operate on an equational term rewriting system (ETRS): a 
rewriting system, together with a set, E, of equations, where the equations in E are not con- 
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verted into rules. For example, one might have E consist solely of the above commutative 
equation. The completed rewriting system, together with E, provides a decision procedure for 
the equational theory of the equations and rules that comprise the ETRS. Huet’s method 
requires that all.rewrite rules be left linear (for every rule, each variable appears at most once 
on the left-hand side). The Peterson-Stickel approach is limited to examples where E consists 
only of equations that are both left and right linear, and where a finite and complete unifica- 
tion algorithm for E is known. ("E-unification" is the process of finding a set of maximally- 
general substitutions for the variables in two terms, that make those two terms equal in the 


theory of E.) 


ETRS completion procedures are powerful tools for automatic equational reasoning. Huet’s 
procedure is too restrictive, however, to handle many typical examples of ETRS. The 
Peterson-Stickel procedure is probably too inefficient to permit a practical implementation. 
The inefficiency stems from both E-unification, wherein hundreds of substitutions are 
routinely computed for each pair of unifiable terms, and E-matching, wherein the equivalence 
class (under E) of a term is, in effect, searched to find an equivalent term that can be rewrit- 


ten. 


[Jouannaud 83] unifies the Huet and Peterson-Stickel results, showing them to be special 
cases of a more abstract theory. In addition, the [Jouannaud 83] approach generalizes 
Peterson-Stickel by allowing non-linear equations in E. However, [Jouannaud 83] does not 
propose a particular completion procedure that incorporates these new results. 


In [Jouannaud 84], Jouannaud & Kirchner simplify, generalize, and extend the [Jouannaud 
83] results about ETRS. They use these new results to prove the correctness of a new 
completion procedure that is more powerful and more efficient than previous methods. Some 
issues regarding the efficiency and effective use of the [Jouannaud 84] completion procedure 
are still under study. For automatic theorem proving applications, the failure-resistant 
properties described in Chapter 4 should also be considered for possible inclusion in the new 
ETRS completion procedure. 


Helene Kirchner and Claude Kirchner are currently building on REVE 2 to create REVE 3, 
which will incorporate the [Jouannaud 84] completion procedure. Their implementation 
makes use of Yelick’s generalized unification design and her implementation of a unification 
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algorithm for AC theories [Yelick 84]. It is clear that the use of an ETRS completion proce- 


dure is essential for practical theorem proving using current rewriting methods. 


6.2.4.4 First Order Predicate Caiculus 


Hsiang [Hsiang 82]*? has developed complete proof strategies for first order predicate cal- 
culus, based on rewriting methods and Knuth-Bendix. These strategies make use of a new, 
convergent ETRS for deciding Boolean algebra. Rather than using conventional, inefficient 
AC-unification for the Boolean binary operations, Hsiang introduced a new algorithm, called 
BN-unification, that is optimized for the Boolean operators. The validity of first order sen- 
tences is proven using a refutational proof technique that is much more efficient than resolu- 
tion [Robinson 65] in many interesting cases. The utility of predicate calculus, and the ef- 
ficiency of Hsiang’s method, suggest that Hsiang’s work should be included in a future 
release of REVE. In addition, it might be possible to use Hsiang’s Boolean algebra ETRS to 
heip perform the disjunctive normal form simplifications required by the COS minimal com- 
plete extender set computation scheme, described in Section 3.5.2. 


6.2.4.5 Inductionless Induction 

REVE uses the Huet-Hullot approach to inductionless induction [Huet 82], whose correctness 
requires that the rewriting system satisfy the principle of definition. However, as indicated in 
Section 2.7, this principle is undecidable in general, and REVE does not currently include a 
check for sufficient conditions. Jean-Jacques Thiel has recently proposed a powerful new 
algorithm for performing such a test [Thiel 84], and is currently implementing it in an ex- 
perimental version of REVE. 


The Huet-Hullot inductionless induction method is but one of several. Its principle advantage 
over other such methods is that. it is fairly amenable to. automatic theorem proving. Its prin- 
ciple disadvantage is that it disallows many interesting examples. Huet-Hullot requires that no 
two ground terms built from HH-canstructors be congruent in the equational theory of the 
system. This restriction makes Huet-Hullot non-applicable to set theory, for example, since 
insert must be an HH-constructor (because insert(empty, a) is irreducible), and yet the theory 
of sets tells us that insert(insert(empty, a), b) and insert(insert(empty, b), a) are congruent. 


225.0 also Hsiang & Dershowitz [Hsiang 83] for a condensed discussion of this work. 
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Kapur & Musser [Kapur 84b] have unified and generalized inductionless induction results into 
a general theory of proof by consistency. Their unambiguity property admits many interesting 
theories (including sets) that are not handled by Huet-Hullot. If useful (decidable) sufficient 
conditions can be identified that imply (undecidable) unambiguity, the Kapur-Musser ap- 
proach may yield effective ways to handle many practical inductive theories in an automatic 
fashion. 


[Huet 82] and [Lankford 81] discuss extensions, to ETRS, of their respective inductioniess 
induction methods, where E is identically AC. Further work is needed to determine the ap- 
plicability of inductionless induction and proof by consistency to more general E-theories. 


6.2.5 Exploiting Concurrency Opportunities 


‘The Knuth-Bendix completion procedure is inherently slow. Rewriting, ordering, unification, — 
computing critical pairs, and “undo" backtracking are all fairly expensive operations. 
However, we remark that many of these functions are highly amenabie to parallel processing: 
e When rewriting a term, the left-hand sides of all rewrite rules can be simul- 
taneously matched against the term. The rule corresponding to any successful 


match can be used to rewrite the term, since (in REVE) the shia! in which rules 
are applied does not matter. 


e The efficiency of computing s © ¢ (and hence s >* t) can be improved by compar- 
ing the subterms of s with the subterms of ft in parallel. The particular subterms 
involved depend on the roots of s and t and the information in the registry. The 
efficiency of s >® t can be similarly improved. 


e There may be many critical pairs that result from overlapping the left-hand sides 
of two rewrite rules at all'possible occurrences. All of these overlaps may be tried 
concurrently, since none of them depends on intermediate results from the other 
overlaps. In addition, multiple pairs of rules may be overiapped concurrently. 


e The fully-automatic Knuth-Bendix implementation, described in Section 6.2.4.2, 

- can be very time consuming, if multiple decision paths must be explored. The 
running time can be reduced by concurrently trying every decision path, rather 
than trying them in an alternating fashion. 


Somewhat surprisingly, Dwork, Kanellakis, & Mitchell [Dwork 84] have shown that unification 
is an inherently sequential process that cannot benefit significantly from parailelism. 
However, they have also shown that matching, during rewriting, can be significantly improved 
using concurrency. 
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As concurrency capabilities in device technology, computer architecture, and. programming 
languages increase, so will the potential speed and utility of automatic theorem proving 
methods using term rewriting techniques. The application of concurrency in this field is an 


interesting and largely unexplored research area. : 


6.3 Reflections on the System Development Process 


Currently consisting of 20,000 lines of source code and in-line comments, more than four 
times the size of REVE 1, REVE 2 is one of the largest CLU programs in existence. It is only 
slightly smaller than the CLU compiler itself. Moreover, the size of REVE 2 is likely to grow by 
50% in the next year, as the new features that. will comprise REVE 3 get incorporated. In the 
presence of such a large and growing body of code, issues common to the development of all 
large software systems become almost as important as the application domain. In this sec- 
tion, we reflect on these issues as they pertain to REVE 2. 


To maintain the consistency and coherence of the REVE source code as it evolves, full 
responsibility for maintaining REVE and incorporating improvements is always in the hands of 
a single person. Following an official REVE release by this maintainer, our colleagues are 
welcome to modify and extend the capabilities of REVE, using their own copy of the current 
source code. Before the next release, each such extension is sent to a small review com- 
mittee for examination, to determine the importance of the extension and its degree of com- | 
patibility with the goals and existing code of the system. The selected extensions are com- 
bined, inconsistencies are resolved, and programming styles are made uniform, by the REVE 
maintainer. The new REVE version is released (with a new release number), and the develop- 
ment cycle repeats, building on the newly-released source code. 


The CLU language provides a number of features that substantively assist in the construction 
of large programs. Data abstraction is fully supported in the language, and can be used to 
great effect in modularizing the code. Compile-time type checking of both built-in and user- 
defined types catches many errors that might otherwise result in obscure run-time bugs. 
Garbage collection, dynamic arrays, and exception handling automatically manage tedious 
and error-prone tasks and contribute to clean, elegant code. CLU’s structured syntax is easy 
to read. Furthermore, the convenient CLU programming environment, with accompanying 
text editor and interactive symbolic debugger, expedites program development. 
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There are some disadvantages to using CLU, however. Most existing software in this field is 
written in LISP, LISP versions exist thet have ait of the henelite ileted above for CLU, except 
for compile-time type checking and lucid syntax. Thus, t might appear thet REVE’s im- 
wo believe that the benetes ot cosipte tims te chashing ath denpe ieograne, oven wih the 
programming limitations thet-such checking impases, oulweigh: the disadvantages of not 
using LISP. Moreover, even LIGP code Is not necessarily easy to share, because of dif- 
ferences in LISP dialects and inetailation environments. 


The REVE implementation affort has Hustrated an lpartant tenet of large experimental sys- 
tems development: Build a prototype early. A prototype implementation gives focus fo the 
project, and heips indicate the potential difficulties te be mekied. Leecanne's REVE 1 served 
"as an excellent prototype for REVE 2 by defining the problem-ares and providing preliminary 
solutions. However, thie princisie was not strictly fullewed: during the development of REVE 2. 
. We sometimes strove unnecessarily to offset potential efficiency difficulties, before it was 
established that such difficulties existed. For exemple, it wnebelleved early on that the code 
could be made nore efficient by keeping, in each -apmrator appearing in a term, a "pointer" to 
the current registry. Jn thin way, the registry would not have te be passed through multiple 
layers of procedure ceita™ to be avaliable to the entaringe. However, an thie idea parmested 
the code, and every operator in every term that get capled or created had to contain the 
current registry; the incurred overhead cancelled any efficiency advantage. Moreover, the 


ne code became more convaluied and terms apcupled tar mare sterage than they needed to. in 


retrospect, it ie probable thal REVE 2 would heave eohieved Ms:curvent features and perfor- 
ene oe Te er eee eee 
late caplnned fo qiteck einloney or Senteenem ee, eae eg: 


Clean and well-commented source code, kientiicalinn of genentily-useful sbetractions, and 


careful module testing ware found to be indapenadiaie-in the development of REVE 2. 


Implementation proceaded bottom-up”, and the documentation, generality, and reliability of 
| tower tovel mochdos infin Se coring higher-tovet metetan, etowtng mage to be quickly 


a m nt Sle wo min ott vt conning com at ‘becmine tie. prochdes 
maintaining muttiple syatems, each with is cen segiatry, in ae 


M4 he design, however, of REVE. 2 was performed top-down. ig 
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identified and removed. To date, no buge have tuned up in the besic deta abstractions — 
terms, multisets, graphs, etc. ~ since they paaned seal criginat meade tanta at the tne they 


Several people at MIT have euccosstly writen programe hit use sone oral ofthe modules 


‘in REVE 2. ‘Yelick has used many of REVE’s lowertevel madisles in her. implementation of ae 


associative-commutative (AC) unification [Yelick 84] sneuphs Zachery weed meat of REVE tn 
_ hie eyetem to experiment with parrmanative ronnie rites. | ibe 


rewriting systems. David Detiala complotaly re-engineered REMES user intertace, imple 
mented EPOS and ite minimal complete extender sat sigorliwn, and: aeeumed maintenance 
responsibilty for REVE, without difficuly. in addition, Sqnecaaht Marmacs! 04] han. syediod 
REVE's implementation, and has shown how REVE can te used for the theorem proving 
required $0 pertorm many of the semantic checke used in the Larch epeciiostion language | 
[Guttag e230). DEVE wit he noes on eoesited eoeeess Shebir fn s-sunpert aystem for 


R REVE has le ben we imghndton work sete nina, Pamerchers ot CAN 
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REVE Commands 


In this Appendix, we present the descriptions of each command in the current version of 
REVE 2. These descriptions are taken almost directly from the on-line HELP information 
provided by REVE. The commands fall into five categories, indicated by the subheadings 
below. 


You do not need to type in the whole command name; unambiguous prefixes are sufficient. 
Commands and arguments can be typed in upper and/or lower case. If you have a file in your 
login directory called ".reve_init,” that file will be executed as if by the REPLAY command 
whenever you start REVE. This can be useful, for example, if you often Gesire a page mode, 
tracing level, etc., that is different from the default, or if you always want to script your 
sessions. 


User Interaction 


HELP Provides the user with detailed explanations of REVE commands, as well 
_as information on other topics, such as interrupting Knuth-Bendix, or 
entering arguments to commands. HELP takes one argument, which is 
the topic on which help is desired. Unambiguous prefixes are sufficient 
specifiers of help topics. "HELP ?" prints out a terse list of topics on 
which help is. available. "GENERAL" is a special topic that gives a short 
introduction to each HELP topic. 


TRACE Sets the Knuth-Bendix tracing level. This should be an integer between 0 
and 3, inclusive. O is the least verbose, printing nothing but user inter- 
action. Level 1 announces the size of the system at regular intervals, and 
informs the user whether Knuth-Bendix is reducing and orienting equa- 
tions or generating critical pairs, that equations have been oriented into 
rewrite rules, that rewrite rules have been turned back into equations be- 
cause their left-hand sides were reduced, that non-trivial critical pairs 
have been found, and that equations have been divided or separated. 
Level 2:gives this information, and also informs the user when an equation 
or the right hand side of a rewrite rule has been reduced as a result of the 
addition of a new rule, and, for critical pairs, gives both the origina! critical 
pair and its reduced form. Finally, level 3 gives all this information, and 
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SCRIPT 


UNSCRIPT 


LOG 


UNLOG - 


REPLAY 


PAGE 


QUIT 


REVE Commands 


‘also informs the user when equations are postponed because they are 


classified as "big" or are unable to be ordered, and also always prints the 
pair of rules being superposed, even if no critical pairs are found. 1 is the 


default tracing level. An argument of "?" displays the current tracing 


Starts recording of the terminal session in a script file. SCRIPT takes an 
argument, which is the name of the file to which scripting should be sent. 
Any previous contents of a script file are lost. Only one script file is 
allowed at a time. Scripting is ended by the QUIT or UNSCRIPT com- 
mands. 


Stops recording the terminal session in a script file, and closes that file. 


Starts recording the user input in a log file. LOG-takes an argument, 
which is the name of the file to which logging should be sent. Any pre- 
vious contents of the file are lost. Only one log file is allowed at a time. 
Logging is ended by the QUIT or UNLOG commands. In order to avoid 
annoying UNLOG commands at the end of log files, UNLOG commands 
are not stored in log files. Log files, once made, can be executed via the 


. REPLAY command. (REPLAY commands are not stored in log flies, 


either.) 


_ Stops the recording of user input in a log file. The log file is closed. 


UNLOG commands do not show up in log files. 


Causes REVE to take input from the file whose name is given as the ar- 
gument. This command is ordinarily used to read from a file that was 


_created by the LOG command, but any text file may be specified. Once 


the file has been exhausted, REVE starts accepting input from the. ter- 
minal. REPLAY commands may not be nested, so REPLAY commands 
are ignored in files executed via the REPLAY command. REPLAY com- 
mands do not appear in log files. 


Controls REVE’s page mode. In page mode, REVE buffers output a 
screen at a time, so that no output is missed. When a screenful of output 
has been printed since the last user interaction, the user is prompted for 
what to do next. The options include printing the next full screen, half 
screen, single line, or "n" lines where n is a single digit; printing without 
stopping until the next user interaction point; or not printing at all until the 
next user interaction point. These options are explained in detail if you 
type "?" in response to a "--More--" prompt. The default page mode is 
"off." See HELP REVE-INIT for information on how to change this. 
(Another method of controlling output is by using the tS and tQ keys. tS 
stops output, and tQ resumes printing.) 


Causes REVE to halt, returning the user to the operating system. Any 
script or log file is closed. 
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READ 


APPEND 


TERMINAL 


ADDITIONAL 


WRITE 


DISPLAY 


FREEZE 


THAW 
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Input/Output 


Deletes any existing equations and rewrite rules in REVE, and reads new 
equations from a file. The precedence information is cleared, and the 
status of all operators becomes "undefined." The file name is given as an 
argument. If the file name has no directory part, the current working 
directory is first searched for that file, and then a special "examples" 
directory is searched. An argument of "2?" gives a list of the example 
equation files in this directory. See also the TERMINAL, APPEND, and 
ADDITIONAL commands. 


Reads equations from a file, adding them to the current system. The file 
name is given as an argument. If the file name has no directory part, the 
current working directory is first searched for that file, and then a special 
"examples" directory is searched. An argument of "?" gives a list of the 
example equation files in this directory. See also the READ, TERMINAL, 
and ADDITIONAL commands. 


Deletes any existing equations and rewrite rules in the system, and reads 
new equations from the terminal. The precedence information is cleared, 


_and the status of all operators becomes “undefined.” See also the READ, 


APPEND, and ADDITIONAL commands. 


Reads new equations from the terminal, and adds them as user equations 


to the system. See also the READ, TERMINAL, and APPEND commands. 


Writes the equations and rewrite rules in the current system to a file, given 
as the argument. This file can later be read in (with the rewrite rules 


interpreted as equations) using the READ or APPEND commands. 


Displays the equations and rewrite rules in the current system on the ter- 
minal. Divides the equations into two sete, those entered by the user and 
those generated as critical pairs. The equations and rules are numbered 
for reference in other commands. Also shows the equation to be proved if 
an equational or inductive proof ts in progress. 


Saves the current system, including the equations, rewrite rules, 
precedence, status map, and Knuth-Bendix "undo" information, into a file 
in object form. The name of this file is given as the argument. Systems 
saved using FREEZE can be later be restored by the THAW command. 
This command is useful for saving completed or partially-completed sys- - 
tems. 


Restores a system that was saved previously using the FREEZE com- 
mand. The name of the file in which the system was saved is given as the 
argument. THAW does not allow files to be thawed if they were made 
using an out-of-date version of REVE. 
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KB 


UNDO 


PROVE 


CANCEL 


DELETE 


- REVE Commands 


‘System 


Runs the Knuth-Bendix Completion Procedure on the current aystém of 


sraoreus ening the PRONE autemanh at eeaare trwe to weir eartna 
form using the NORMAL-FORM commend. The TRACE command con- 
trols output produced by Kruth-<Bendix during the completion process. 
You can interrupt Knuth-Bendix with 1G, and esaume it with KB. 


Causes the system to be eet to Re state belore the tast interaction with 
Knuth-Bendix, # there was one, and restarts Knuth-Bendix from that point. 


Attempts to prove thet an equation le.a thencam with the respect to the 
equations and rewrite rules in the ayetert.. ‘The equation is given as the 


. sat Yo aeicatined tie sible le eid a tear # eo wands ip 10m 
ee ee ec inden ts ake 


Ccncite dow gait currently in progress. ‘Tesdatersnine iftheve io.a proot : 


(progress, uae the DRBPLAY command. ESTEVE for mare tolermation 


on preois. 
Ts. of ng, sid an wore 
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CLEAR 


TASK-ORDER 


AUTOMATIC 


ORIENT 
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user is prompted for the equations and rules to delete.) If all the numbers 
in the list correspond to equations and/or rules in the system, those equa- 
tions and rules are deleted. Otherwise, nothing is done, and an error 
message is printed. Deleting rewrite rules "compromises" the system, in 
that it is no longer guaranteed to represent the same equational theory as 
the original system. “Deleted" critical pair equations are saved on a spe- 


cial list, and are reinserted into the system after Knuth-Bendix is finished, 


to preserve correctness. In this case, DELETE should be thought of as 
postponing consideration of an equation. Deleting user equations just 
causes Knuth-Bendix to complete the system consisting of the new, 
smaller set of equations. 


Resets REVE. All equations and rewrite rules are deleted from the system, 
the precedence is cleared, and the status of all operators is set to 
"undefined." 


Changes the order in which the Knuth-Bendix tasks are executed. The 
default is “automatic,” a task order that considers all non-big unorderable 
equations before computing critical pairs. This order is the most efficient 


‘one for use with automatic orderings, such as EPOS, and perhaps also for 


the current implementation of EDOS, if you are familiar with the basics of 
choosing EDOS suggestions. The other possible task order currently 
available is "postpone," which postpones compatible unorderable equa- 
tions until after critical pairs have been computed, in the hope that the 
unorderable equations will reduce (and become orderable) or become 
identities and disappear. If you interrupt Knuth-Bendix and change the 


“task ordering, Knuth-Bendix will start with the first task of the new order 


when resumed. 


Sets the current REVE execution mode to be automatic ("on") or manual 
("off"). If "on," and the current ordering is EPOS, the ORIENT command 
will convert the equations into rewrite rules without user help, automati- 
cally choosing different minima! extenders, reversing equations when ail 
extenders have been tried, etc. In the future, if a fully-automatic Knuth- 
Bendix is implemented, AUTOMATIC will also determine. whether or not 
Knuth-Bendix runs automatically. 


Causes REVE to order all current equations into rewrite rules, using the 
current ordering, without computing any critical pairs. If the AUTOMATIC 
execution mode is "on," and the current ordering is EPOS, ORIENT will 
transform the equations into rules without user help, automatically choos- 
ing different minimal extenders, reversing equations when all extenders 
have been tried, and reporting failure if a terminating registry cannot be 
found. Otherwise, for each unorderable equation, the suggestions or ex- 
tenders from the ordering are displayed, and the user is prompted to take. 
action on the equation accordingly. 
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REDUCE 


NORMAL-FORM 


UNIFY 


CRITICAL-PAIRS 


ORDERING 


INITIALIZE 


PRECEDENCE 
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Laboratory 


Rewrites a term once, using the current rewriting system. The term is 
given as the argument. The choice of rewrite rule applied is non- 
deterministic. 


Computes the normal form of a term with respect to the current rewriting 
system. The term is given as the argument. If the rewriting system is not 
guaranteed to terminate, i.e., if the user has added a rewrite rule to the 
system that the current ordering was unable to order (or if the "manual" 
ordering is being used), the normal form computation may not terminate. 
When the rewriting system is not known to terminate, REVE stops the 
rewriting process and issues a warning after a very large number of 
rewrites during a normai form computation. 


Computes and prints the unification of two terms, i.e., the result of apply- 
ing their most general unifier to either term. Standard unification (i.e., 
unification in the empty theory) is used. The two terms are entered as 
arguments. If the terms are entered on the same line, they should be 
separated by a semicolon (";"). 


‘Finds and prints all critical pairs between two rewrite rules, which are 


entered as arguments. If the two rules are entered on the same line, they 


_ Should be separated by a semicolon (";"). 


Orderings 
Sets the ordering to be used by Knuth-Bendix. Currently, the orderings 


‘supported are "EPOS," which computes the minimal complete extender 


set when an equation is unorderable; "EDOS," which currently provides 
suggestions for extending the “>" relation in the precedence, and 
"manual," which prompts the user to hand-order each equation. When 
ORDERING is used to switch from "manual" to either "EPOS"” or 
“EDOS," all rewrite rules are converted back into equations to preserve 
the correctness of Knuth-Bendix. 


Restores the system to a state in which there are no Huet & Hullot con- 
structors, there is no precedence information associated with operators, 
and all operators have “undefined” status. All rewrite rules are turned 
back into equations. Note that this preserves the equational theory 
defined by the rewrite rules and equations in the system. See also the 
CLEAR command. 


Adds precedence information to the system. REVE uses orderings on 
terms to prove the termination of the rewriting system. These orderings 
are parameterized on a precedence. The precedence records information 
regarding whether "f >g," "f = g," "f>= g,”".or "f" and "g" are unre- 
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STATUS 


CONSTRUCTORS 
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lated, with respect to the ordering, for any two operators "f" and "g." 
PRECEDENCE takes an argument, which is a list of lists of relations 
among operators, where the lists are separated by commas. The permis- 
sible relations are ">," "<," "=," ">=," and “<#." For example, the 
argument "f >= g <h, a = g" causes "“f" to be greater than or equal to 
"g," "h" to be greater than "g," and "a" and "g" to be equivalent in the 
precedence. All operators in the lists must already appear in one of the 
equations or rewrite rules in the system. All the lists taken together must 
parse correctly and represent a consistent addition to the precedence, or 
else nothing is done and an error message is printed. See also the 
CONSTRUCTORS, STATUS, and OPERATORS commands. 


Declares the status of an operator, which is used by the orderings in 
REVE. This status can be "“multiset,” “left-to-right,” "right-to-left," or 
"undefined." Loosely, "multiset" status for "f" means that for a term “t" 
= “f(...)," the ordering regards the arguments of "t" as a multiset, and the 
order of the arguments is ignored. When the status is "left-to-right," the 
leftmost arguments of “t" are given more weight in the ordering. Similarly, 
“right-to-left” status indicates that the rightmost arguments are more im- 


‘portant. If the status of "f" is "undefined," "f" has not yet been assigned 


a particular status. "Undefined" is the initial status assignment of all 
operators. STATUS takes two arguments: an operator name, and a 
status, which should be "left" for left-to-right, “right” for right-to-left, or - 
“multiset." The operator must already appear in one of the equations or 
rewrite rules in the system. See also the PRECEDENCE, 
CONSTRUCTORS, and OPERATORS commands. 


Adds precedence information to the system. REVE uses an ordering on 
terms to prove the termination of the rewriting system. This ordering on 
terms is an extension of a partial ordering on operators, called a 
precedence. CONSTRUCTORS allows one to extend the precedence 
relation in a particular way: it takes one argument, which is a list of 
Operators, and declares each of those operators to be less than or equal 
to all other operators not in the list: You must declare all constructors at 
the same time. Ht is particularly useful to deciare ail of the basic construc- 
tors using this command (hence its name), since all constructors are al- 
most always less than all non-constructors in any precedence that allows... 
REVE's ordering to prove termination. All operators declared using this 
command must already appear in one of the equations or rewrite rules in 
the system. See also the PRECEDENCE, STATUS, OPERATORS, and 
HH-CONSTRUCTORS commands. 


HH-CONSTRUCTORS 


Declares Huet-Hullot constructors, which are used in inductionless induc- 
tion. For inductionless induction to work properly, it must be the case that 
every "ground term" (a term containing no variables) is congruent, with 
respect to the equations and rewrite rules in the system, to exactly one 
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OPERATORS 


CHECK 


ground term consisting solely of Huet-Hullot constructors. In abstract 
data type axioms, the constructors of the data type will often have this 
property. (Sets are a notable exception, since "insert" and "new" are the 
set constructors, and, in general, there will be many congruent ground 
terms that denote a given set.) This command takes one argument, which 
is a list of operators. Any operators that get declared as Huet-Hullot con- 
structors also receive the treatment accorded to operators by the 
CONSTRUCTORS command. All operators declared using HH- 
CONSTRUCTORS must already appear in one of the equations or rewrite 
rules in the system. See also the CONSTRUCTORS command. 


Displays the operator precedence and status information in the system. 
For every set of operators that are equivalent in the precedence, tells 
which of those operators are constructors ("(C)"), and/or have non- 
undefined status ("(M)" for “multiset,” "(L)" for "left-to-right," or "(R)” 
for "right-to-left"), and displays the operators to which they are greater 
than or equal in the precedence. OPERATORS without any arguments 
prints this information for all the operators in the system. If a list of 
operators is typed on the same line as the OPERATORS command, onty 


‘ information about the relationships between these operators is listed. 


Checks the operator information for certain kinds of inconsistencies. It 
will tell the user if there are any sets of equivalent operators that contain 
both constructors and non-constructors, or operators of both “multiset" 
and lexicographic ("left-to-right" or “right-to-left") status. This situation 
must be corrected before Knuth-Bendix can be run, so REVE automati- 
cally performs CHECK before running Knuth-Bendix. CHECK is not 
guaranteed to catch all such inconsistencies in a single pass; only to 
catch at feast one if there are any. 
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